Professional Documents
Culture Documents
Communications201002 DL
Communications201002 DL
ACM
CACM.ACM.ORG OF THE 02/2010 VOL.53 NO.02
Recent
Progress in
Quantum
Algorithms
Alternate Interface
Technologies
Open Access to
Scientific Publications
Using Static Analysis
to Find Bugs
ACM Fellows
Association for
Computing Machinery
http://fdg2010.org
http:
the International Conference on the
Foundations of Digital Games
June 19 - 21
2010 Submission Deadlines
Papers & Posters: 5th Feb
Doctoral Consortium: 12th Feb
Demos: 2nd April
Game Studies
Infrastructure (Databases,
Networks, Security) Learning in Games
Computer Science &
Game Design Games Education
Graphics & Interfaces
Artificial Intelligence
An Official Conference of the
Conference Chair: Ian Horswill, Northwestern University Society for the Advancement of
Program Chair: Yusuf Pisan, University of Technology, Sydney the Science of Digital Games
SASDG
Doctoral Consortium Chair: Zoran Popovic, University of Washington
Workshops Chair: Michael Mateas, University of California, Santa Cruz
Panels Chair: Ian Bogost, Georgia Institute of Technology
Tutorials Chair: Robin Hunicke, That Game Company In Cooperation With ACM
Industrial Relations Chair: Hiroko Osaka, Northwestern University and its Special Interest Groups on
Local Arrangements Chair: Marilyn Walker, University of California, Santa Cruz Computer Science Education
Webmaster: Karl Cheng-Heng Fua, Northwestern University and Artificial Intelligence
SIGART
FDG 2010 Supported by: © SASDG. Photo credits:
1. (cc) (by=) Veronica Vale - www.flickr.com/people/vbv
2. © Asilomar Conference Grounds - www.visitasilomar.com
3. (cc) (by$/=) Andrew Fitzhugh - www.flickr.com/people/fitzhugh
4. (cc) (by$/=) Steve Schnwarz - www.flickr.com/people/vasculata
COMMUNICATIONS OF THE ACM
44 Power-Efficient Software 66 A Few Billion Lines of Code Later: As with all magazines, page limitations often
Power-manageable hardware Using Static Analysis to Find Bugs prevent the publication of articles that might
can help save energy, but what can in the Real World otherwise be included in the print edition.
To ensure timely publication, ACM created
software developers do to address How Coverity built a bug-finding
Communications’ Virtual Extension (VE).
the problem? tool, and a business, around VE articles undergo the same rigorous review
By Eric Saxe the unlimited supply of bugs in process as those in the print edition and are
software systems. accepted for publication on their merit. These
49 Managing Contention for Shared By Al Bessey, Ken Block, Ben Chelf, articles are now available to ACM members in
Resources on Multicore Processors Andy Chou, Bryan Fulton, the Digital Library.
Contention for caches, memory Seth Hallem, Charles Henri-Gros,
controllers, and interconnects can Asya Kamsky, Scott McPeak, Reversing the Landslide in
be eased by contention-aware and Dawson Engler Computer-Related Degree Programs
scheduling algorithms. Irma Becerra-Fernandez, Joyce Elam,
By Alexandra Fedorova, 76 Assessing the Changing and Susan Clemmons
Sergey Blagodurov, U.S. IT R&D Ecosystem
and Sergey Zhuravlev The National Academy of Sciences Practical Intelligence in IT: Assessing
recommends what the U.S. Soft Skills of IT Professionals
Article development led by government should do to help Damien Joseph, Soon Ang,
queue.acm.org maintain American IT leadership. Roger H.L. Change, and
By Eric Benhamou, Jon Eisenberg, Sandra A. Slaughter
58 Software Model Checking Takes Off and Randy H. Katz
A translator framework enables Wireless Insecurity: Examining User
the use of model checking in Security Behavior on Public Networks
complex avionics systems and Research Highlights Tim Chenoweth, Robert Minch,
other industrial settings. and Sharon Tabor
By Steven P. Miller, Michael W. Whalen, 96 Technical Perspective
and Darren D. Cofer Strange Effects in High Dimension Informatics Creativity: A Role
By Sanjoy Dasgupta for Abductive Reasoning?
John Minor Ross
Review Articles 97 Faster Dimension Reduction
By Nir Ailon and Bernard Chazelle Designs for Effective Implementation
84 Recent Progress in of Trust Assurances in Internet Stores
Quantum Algorithms Dongmin Kim and Izak Benbasat
What quantum algorithms 105 Technical Perspective
outperform classical computation Want to be a Bug Buster? Taking a Flexible Approach to ASPS
and how do they do it? By Shekhar Y. Borkar Farheen Altaf and David Schuff
By Dave Bacon and Wim van Dam
106 Post-Silicon Bug Localization Managing a Corporate
for Processors Using IFRA Open Source Software Asset
By Sung-Boem Park Vijay K. Gurbani, Anita Garvert,
About the Cover:
Hopes abound for and Subhasish Mitra and James D. Herbsleb
a future with quantum
computers and the
algorithms that steer Takes Two to Tango: How
them. On page 84, Relational Investments Improve
Dave Bacon and Wim
van Dam trace the IT Outsourcing Partnerships
latest discoveries in Nikhil Mehta and Anju Mehta
quantum algorithms
that outperform their
classical counterparts.
Kenn Brown and Chris
Wren, of Vancouver-based
Mondolithic Studios,
created a vision of quantum rings, dots, and algorithms
encircling a Bloch sphere.
Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.
An Issue of Teamwork
This column was supposed to write itself.
When Editor-in-Chief Moshe Vardi first asked me to
tell readers how a typical issue of Communications comes
together, I remember thinking “piece of cake.”
After all, I’ve been part of that monthly The editorial lineup for each issue is Working closely with the authors, their
process since Bill Gates earned his first a collaborative effort by the EiC, Board goal is to help make each article crisp
billion. One column, coming up. section chairs, and HQ staff. The EiC and tight. Edited articles are sent to
So, why have I been staring at a blank has the final word on all things edito- Assistant Art Director Mia Angelica
screen the last three days? The reason, rial and makes the ultimate decision Balaquiot, who flows the text into page
I must admit, is the same reason I’ve on the cover story and cover image. In galleys and redraws every submitted
enjoyed this work for so long. The real a perfect world, all the manuscripts figure and table accompanying those
beauty of working on ACM’s flagship slated for each issue (save news stories) articles to ensure a professional uni-
publication is that nothing is ever the should be in the hands of HQ editors form presentation. Galleys are sent to
same. Unlike the majority of commer- eight weeks prior to publication. That’s the contact author for each article for
cial and trade magazines, Communica- when the real production cycle begins. one last look prior to publication. All
tions rarely covers the same topic twice. final editorial tweaks are made; the de-
Each issue truly follows a unique path Pulling the Pieces Together sign phase then takes over.
to fruition. While the editorial elements have had This is the juncture where editorial,
In an effort to impart some sense months to simmer, the cover image artwork, and over 100 empty magazine
of the production process, let’s take and assorted graphical complements pages merge. Borys and his team work
this issue as an example. Many of the throughout this issue has only a few under the ever-looming deadline to
seeds for this edition were planted by weeks to craft. The goal of the edito- pull all the pieces together into a cohe-
mid-2009. Our cover story on quantum rial artwork is to draw readers into an sive unit that flows from news stories,
algorithms was invited by the EiC, but article by reflecting the subject in an to viewpoints, to feature articles, to
often the articles and viewpoints have intriguing way or by adding a creative research, with lots of eye-catching ele-
been submitted and accepted after rig- spin to the subject. Given the assort- ments in between. Staff editors read
orous review by members of Commu- ment of topics in any edition, this is no over every page one last time.
nications Editorial Board (for details, small task. Therefore, one of the first Advertising Sales Coordinator Jen-
see Author Guidelines http://cacm. steps in the process is a meeting with nifer Ruzicka submits the ad pages
acm.org/about-communications/ Group Publisher Scott Delman, staff slated for the issue, and Production
author-center/author-guidelines). editors, Art Director Andrij Borys, and Manager Lynn D’Addesio coordinates
The News Board, working with Senior Associate Art Director Alicia Kubista. every move between HQ and the print-
Editor Jack Rosenberger, teleconfer- Editors relay the gist of each article ing facilities in Richmond, VA, where
ence monthly to determine the most and volley ideas on how to best repre- the final product is ultimately shipped.
important and timely stories to pur- sent them graphically. Cover ideas take As soon as one issue of Communi-
sue for each issue. Managing Editor shape and artists and photographers cations is “put to bed,” we all move to
Tom Lambert works with the View- are tapped. Over the weeks we watch the next one. There’s art to discuss,
points Board to ensure that section early sketches turn into colorful works. authors to contact, and deadlines, al-
presents a compelling collection of Cover concepts can go through many ways deadlines. The process may not
columnists and commentary, deliver- iterations; often changing direction always run this smoothly (ah, perfect
ing many diverse views on science and and detail as they progress. world), but each issue always reflects
industry practices from around the While artwork is germinating, Lam- a total team effort, and it is always a
world. Monthly features like CACM bert, Rosenberger, and Senior Editor privilege to be part of that team.
Online and Last Byte are also spirited Andrew Rosenbloom are editing ev-
by HQ editors. ery manuscript slated for the month. Diane Crawford, EXECUTIVE EDITOR
3/@=::3/5C3
B/B7;3E63<1=;>CB7<57A/BB6313<B3@=4B635@=E7<523;/<24=@B316<=:=5G8=0AE=@:2
E723"7A1=<B7<C7<57BAE=@9=<7<7B7/B7D3AB=63:>1=;>CB7<5>@=43AA7=</:AAB/G1=;>3B7B7D37<
B635:=0/:1=;;C<7BG
"A7<1@3/A7<57<D=:D3;3<B7</1B7D7B73A/7;32/B3<AC@7<5B6363/:B6=4B63
1=;>CB7<5 27A17>:7<3 /<2 >@=43AA7=< A3@D3 B= 63:> " @3/16 7BA 4C:: >=B3<B7/: /A / 5:=0/: /<2
27D3@A3A=173BGE67161=<B7<C3AB=A3@D3<3E/<2C<7?C3=>>=@BC<7B73A4=@7BA;3;03@A
A>/@B=4"A=D3@/::;7AA7=<B=/2D/<131=;>CB7<5/A/A173<13/<2/>@=43AA7=<=C@7<D/:C/0:3;3;03@
03<347BA/@323A75<32B=63:>G=C/1673D3AC113AA0G>@=D727<5G=CE7B6B63@3A=C@13AG=C<332B=/2D/<13
G=C@1/@33@/<2AB/G/BB634=@34@=<B=4B63:/B3ABB316<=:=573A
E=C:2/:A=:793B=B/93B67A=>>=@BC<7BGB=;3<B7=<" ,B63;3;03@A67>5@=C>E7B67<"
" ,A>C@>=A37A
B=3:3D/B3B637AAC3=453<23@27D3@A7BGE7B67<B63/AA=17/B7=</<2B630@=/23@1=;>CB7<51=;;C<7BG
-=C1/<8=7<B63
" ,3;/7:27AB@70CB7=<:7AB/B6BB>E=;3<
/1;
=@58=7<:7AB
%:3/A3B/93/;=;3<BB=1=<A723@B63D/:C3=4/<";3;03@A67>4=@G=C@1/@33@/<2G=C@4CBC@37<B632G</;71
1=;>CB7<5>@=43AA7=<
(7<13@3:G
,3<2G/::
%@3A723<B
AA=17/B7=<4=@=;>CB7<5"/167<3@G
Advancing Computing as a Science & Profession
3
% ,-
+ / * / *+
+ / /
%
,4
54
G4
! !" # ! >
%
%&& & &
!
"
#
!
"
# )*
$% & ' "(
"
!
+ )*
!
"
# &
(
,-!
"
# "
!
+ .*
H
I >
J D >)
0 K,@--G65CC5C
%*&(*))'&%)&() %#+&+%* &% #&&+%* &% #%*%&#& )$/# %($+* #)
*#(&+'&+%* &% )&/)*$)
-#**"( &$'%/ &('&(* &%%*#&+%* &%&"
(* %'/)*$)* &%# %&+%* &%,#)(&(*&(/
% * &%#&(*&( )
#+$((
*#(&+%* &%.)%)*(+$%*)%
%(/+&+%* &%
in the virtual extension
DOI:10.1145/1646353.1646357
Reversing the Landslide responsible for their own security. The Enterprise (SME) market for ASPs through
in Computer-Related Degree authors study whether users are securing an analysis of the factors that are most
their computers when using wireless important to likely adopters. Through a
Programs networks. Automated techniques are survey of 101 SMEs, the authors find that
Irma Becerra-Fernandez, Joyce Elam, used that scan users’ machines after cost, financial stability, reliability, and
and Susan Clemmons they associate with a university wireless flexibility are all significantly associated
Undergraduate and graduate enrollment network. Results show that over 9% of 3,331 with self-assessed likelihood of ASP
in computer information system (CIS)- unique computers scanned were not using adoption. Surprisingly, flexibility was
related coursework has been on a steady a properly configured firewall. In addition, negatively associated with likelihood of
decline. The number of bachelor’s degrees almost 9% had at least one TCP port open, adoption, possibly indicating a perception
in computer science has fallen dramatically with almost 6% having open ports with that ASPs are not sought for their flexibility.
since 2004; a similar trend is also affecting significant security implications. The
academic programs that combine business authors also discuss cases where connected Managing a Corporate
and IT education. Rumors of CIS faculty computers were compromised by Trojan Open Source Software Asset
layoffs compound the grim job outlook of programs, such as SubSeven and NetBus.
Vijay K. Gurbani, Anita Garvert, and
CIS graduates, who fear not being able to
James D. Herbsleb
find jobs in a market already plagued by Informatics Creativity:
challenges brought about by the dot com Corporations have used open source
A Role for Abductive Reasoning? software for a long time. But, can a
demise and IT outsourcing. How can CIS
programs survive? This article details some John Minor Ross corporation internally develop its software
successful intervention strategies that can Analysts and programmers may be stymied using the open source development
be implemented to weather the impending when faced with novel tasks that seem models? It may seem that open source style
crisis, and details how these interventions beyond the reach of prior education and development—using informal processes,
helped one institution reverse the downturn experience. Sometimes a solution appears, voluntary assignment to tasks, and having
and reinvent the image of its CIS programs. however, while considering something else few financial incentives—may not be a
seemingly altogether unrelated. Coming good match for commercial environments.
up with new ideas or creative approaches This ongoing work demonstrates
Practical Intelligence in IT: that under the right circumstances,
Assessing Soft Skills to overcome such problems may be less
daunting once the role of adductive corporations can indeed benefit from
of IT Professionals reasoning is considered. adopting open source development
Damien Joseph, Soon Ang, Roger H.L. methodologies. This article presents
Change, and Sandra A. Slaughter findings on how corporations can structure
Designs for Effective software teams to succeed in developing
What qualities make a successful IT Implementation of Trust commercial software using the open-
professional? This study develops and source software development model.
tests a measure of soft skills or practical
Assurances in Internet Stores
intelligence of IT professionals, defined Dongmin Kim and Izak Benbasat
as intrapersonal and interpersonal Takes Two to Tango: How
A study of 85 online stories offers a
strategies for managing self, career, and snapshot of how often Internet stores
Relational Investments Improve
others. The instrument—SoftSkills for use trust assurances and what concerns IT Outsourcing Partnerships
IT (SSIT)—elicits individuals’ responses they address. These findings will help Nikhil Mehta and Anju Mehta
to IT work-related incidents and was business managers understand how other
administered to practicing IT professionals As the recent economic crisis has
companies use trust assurances and help shown, client-vendor partnership
and inexperienced IT undergraduates. identify what can be improved within
Results indicate that practical intelligence can quickly regress into a contractual
their organizations. For example, the arrangement with a primitive cost-cutting
is measurable and SSIT discriminates authors determine that about 38% of total
between experienced and inexperienced objective. Based on interviews with 21
assurances were delivered in an ineffective vendor executives in India, the authors
IT professionals. This study concludes way, which might cause shopping-cart-
by identifying practical implications for recommend that clients with a long-term
abandonment problems. The article offers vision for their IT outsourcing function
selection, training, and development and design guidelines for trust assurances for
proposes future research directions on may do well by developing mature
Web developers based on the authors’ partnerships with their vendors. To address
assessing practical intelligence. analysis and previous studies. the general lack of understanding about
how to make it happen, the authors make
Wireless Insecurity: Taking a Flexible Approach to ASPS provisional recommendations advising
Examining User Security Behavior Farheen Altaf and David Schuff
clients to make relational investments in
on Public Networks selective areas. Key client benefits of such
There has been a recent revival of the investments include improved service
Tim Chenoweth, Robert Minch, ASP model through the notion of cloud quality, cost savings, improved vendor
and Sharon Tabor computing and “software as a service.” sensitivity toward information security and
Wireless networks are becoming The purpose of this article is to better privacy, and improved vendor capabilities
ubiquitous but often leave users comprehend the Small to Medium to fulfill client’s future IT needs.
DOI:10.1145/1646353.1646358 http://cacm.acm.org/blogs/blog-cacm
and Technology
acquisitions that resulted in Google
Earth and Google Maps. In her talk Me-
gan focused on the interconnectedness
of CS, using four examples of areas that
Guest blogger Valerie Barr writes about highlights of the ninth Grace demonstrate this.
Hopper Celebration of Women in Computing Conference, including 1. Interconnectedness of people around
keynote speeches by Megan Smith and Francine Berman. the world: When you look at Google que-
ry traffic worldwide, you see that there
is almost no query traffic from Africa,
From “Grace Hopper challenged attendees to make the though there is increasing SMS activ-
Conference Opening most of this aspect of the conference ity. For example, M-Pesa is a service in
Session: Part 1” by introducing themselves to at least Kenya that allows full telephony-based
http://cacm.acm.org/ five new people per day. For the un- money transfer. But the “real” commer-
blogs/blog-cacm/43989 dergraduates in particular, Heidi gave cial Internet is coming to Africa. Google
The theme of the ninth a wonderful example of an elevator is opening five new offices in Africa,
Grace Hopper Celebration (GHC) of speech, demonstrating how they could bringing its total to seven. It will be do-
Women in Computing is “Creating capture all the key details about them- ing maps and supporting all the “usual”
Technology for Social Good.” This is a selves in just a few sentences. Google apps, working with the Grameen
theme that has clearly resonated with Heidi also acknowledged the sup- AppLab, working on health-related ap-
many people as the conference totally port of SAP, which sponsors videoing plications, building on existing SMS ef-
sold out, with 1,608 attendees! There at the conference. She showed the “I forts, and working to get NGO informa-
are 178 companies represented, 23 Am A Technical Woman” video that tion on the Web.
countries, and 728 students. There was made at GHC last year, which you 2. Interconnectedness of data: People
were more than 100 people who vol- can view at http://www.anitaborg.org/ at Google have been generating real-
unteered for the 16 committees that news/video. This is a great way to get time information about the spread of
helped organize different aspects of a sense of what GHC is like, to under- flu. They have used search logs to pre-
the conference. One- quarter of the stand the incredible energy at the con- dict flu rates, based on the belief that
attendees, 430 people, are involved in ference. As per Heidi’s request, please the first thing people do when they get
presentations of panels, papers, work- pass this video on to your friends and sick is start searching the Web. It turns
shops, and Birds of a Feather sessions. colleagues, and to anyone you know out that they are 89% accurate on sea-
In addition to the usual conference who has a daughter. sonal flu rates, based on verification
type of activities, one of the sessions with U.S. Center for Disease Control
on Wednesday was a resumé review— From “Grace Hopper and Prevention (CDC) data. The benefit
the volunteer reviewers read more than Keynote 1: Megan Smith” of this data-mining work is that Google
300 resumés. http://cacm.acm.org/ can actually give the CDC real-time in-
A wonderful element of GHC is the blogs/blog-cacm/44258 formation more quickly than the CDC
emphasis on networking. At the con- Thursday’s keynote address was by gets it from doctors and hospitals.
ference opening on Thursday, Heidi Megan Smith, vice president of new Next, Google is working to get these ap-
Kvinge of Intel, the conference chair, business development and general plications into multiple languages—
it turns out that in many parts of the Fran’s talk was entitled “Creating foundation for the technology work we
world it is becoming cheaper to collect Technology for the Social Good: A Pro- will be doing in the years to come. Fran
data digitally than on paper, so the de- logue.” Her basic message was that pointed out that we have to prepare
veloping world can begin to move in science, engineering, and technology today’s students with technical skills,
this direction as well, using the data really matter when it comes to address- but that they also have to be prepared
mining of digital data to gain informa- ing and solving the most pressing prob- to understand international cultures,
tion on trends. lems facing society today. business, politics, and policy. Only then
3. Civil liberties: Events in Iran and As an example of a problem, and a will they be ready to take on leadership
Colombia have demonstrated the use solution born out of technology, she roles in the years to come. Fran closed
of technology to mobilize people. The briefly discussed the area of safer en- by saying that to create positive change
Alliance of Youth Movements Summit, vironments through earthquake pre- we have to ask the hard questions, par-
held last year in New York City and soon diction. Basically, computer models ticularly about the representation of
to be held again, taught people how to are being developed to predict seismic women and minorities in CS; create
create youth groups, and heavily uti- activity. These models are then run goals and metrics of success, and then
lized Webcasts and Facebook. Megan on supercomputers, which generate hold people to them; publicly recog-
discussed the role that technology can output in the form of seismic predic- nize the successes of our colleagues
play for people in “extreme” situations tions, showing where seismic activity and students; and, when possible, use
such as how SMS alerts can be used in will occur and how long it will last af- our role to create policy, set priorities,
parts of Africa to warn women about ter an initial quake. This information and handle resource allocation.
safe travel routes. She argued that tech- is being used to develop new building
nology can help speed up the improve- codes, better disaster-response plans, From “Final Thoughts About
ment of life, particularly for women, in and targeted retrofitting of older con- Grace Hopper Conference”
some parts of the world where there is struction. Other examples Fran cited http://cacm.acm.org/
still great danger. She also discussed are the OLPC project to bring comput- blogs/blog-cacm/44533
the potential for improving education, ers to children in the developing world My wrap-up from Grace Hopper—
such as creating opportunities for col- and iRobot, which is developing robots some Web sites and information about
laboration between schools across geo- suited for dangerous situations so that women and technology worldwide,
graphic and economic divides. humans don’t have to be exposed to much of it gleaned during the session
4. The environment: There are many danger and risk. “The ‘F’ Word: Feminism and Technol-
CS opportunities in building the con- But Fran argues there is a major ogy.” The repeated message was that
trol systems involved for new energy- area that we have to address as the we have to see technology as a means to
delivery approaches. For example, So- “prologue” to effectively addressing an end, not an end itself. If we want to
larBox is an application that will help the large problems. That issue is data. build technology to help women, par-
groups of people organize to increase We have to harness data, so that we can ticularly in the developing world, we
their buying power of solar panels in turn it into information and knowl- have to have the relevant context and
their neighborhood. Google’s Power- edge. This will help us create a strong involve women themselves in the de-
Meter application will help people see foundation for efforts driven by science velopment process. For example, in ru-
power usage in their home. Studies and engineering. ral Pakistan the majority of women are
show that once people know how much Electronic data is fragile. Much of it, illiterate, so a text-based Internet tool
energy they are using, they usually de- such as wikis and Web sites, disappears is useless. But an audiovisual medium,
crease usage by 5%–15%. quickly or is changed often. And there’s like one that is currently being used to
Megan closed by saying that the 21st a lot of it! There is currently more than provide information about health-care
century will be all about these kinds of a zettabyte of data. The U.S. Library services, will be much more successful.
interconnectedness, and that there are of Congress alone has more than 295 While in the developed world we seem
many, many opportunities for people terabytes of data. We are running out to always think of a computer solu-
in CS to work on exciting, interesting, of room in which to store it all, so we tion, usually Web-based, to problems,
and relevant projects. have to be cognizant of the data life cy- these days the technology that will help
cle and look at ways in which computer women is most likely to involve mobile
From “Grace Hopper scientists can support the data life cy- phones. This has been demonstrated
Keynote 2: Fran Berman” cle. But we also have to recognize that in Africa by the Advancement through
http://cacm.acm.org/ the CS view of data is different than a Interactive Radio project in which mo-
blogs/blog-cacm/44532 librarian’s view of data which, in turn, bile phone technology allows women
The second keynote speaker was Fran is different than an individual user’s to participate in call-in programs on
Berman, vice president for research at view of data. TV and radio, giving them a voice in
Rensselaer Polytechnic Institute. Fran So the key questions we need to community affairs which they had not
was formerly director of San Diego Su- think about are: What should we save? previously had.
percomputer Center and has worked How should we save it? Who should
for years in the design and develop- pay for it? Valerie Barr is the chair of the computer science
department at Union College.
ment of a national-scale cyberinfra- Addressing these questions now is
structure. part of the process of creating a strong © 2010 ACM 0001-0782/10/0200 $10.00
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 11
cacm online
ACM
Member
News
DOI:10.1145/1646353.1646359 David Roman
FIRST-EVER CS EDUCATION
Alternate Interface
Technologies Emerge
Researchers working in human-computer interaction are
developing new interfaces to produce greater efficiencies in personal
computing and enhance miniaturization in mobile devices.
H
A R D WA R E E N G I N E E R S C O N -
TINUE to pack more pro-
cessing power into smaller
designs, opening up an ar-
ray of possibilities that re-
searchers say will lead to human-com-
puter interfaces that are more natural
and efficient than the traditional hall-
marks of personal computing. These
smaller designs have given rise to new
mobile platforms, where the barrier to
further miniaturization no longer is
the hardware itself but rather humans’
ability to interact with it. Researchers
working in human-computer interac-
tion (HCI) are dedicating effort in both
areas, developing interfaces that they
say will unlock greater efficiencies and
designing new input mechanisms to
eliminate some of the ergonomic bar-
NanoTouch, a back-of-device input technology for very small screens on mobile devices and
riers to further miniaturization in mo- electronic jewelry. The technology demonstrated here by Patrick Baudisch was developed at
bile technology. Microsoft Research and Hasso Plattner Institute.
Patrick Baudisch, a computer sci-
PHOTO C OURT ESY OF KAY HERSCHELM ANN
ence professor at Hasso Plattner In- ly reliable interfaces, such as speech hand, increasing the opportunity for
stitute in Potsdam, Germany, points or gesture input. The other focuses on users to experience what psychologist
out that there are two general ap- creating less complex, more reliable Mihaly Csikszentmihalyi calls “opti-
proaches to HCI, a field that draws on input techniques. Partial to the second mal experience” or “flow.”
computer science, engineering, psy- approach, Baudisch argues that inter- Baudisch began his HCI career in
chology, physics, and several design faces developed with simplicity and the Large Display User Experience
disciplines. One approach focuses on reliability in mind facilitate an unin- group at Microsoft Research, where he
creating powerful but not always total- terrupted engagement with the task at focused on how users could interact
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 13
news
more effectively with wall displays and gers. The NanoTouch interface, which at which the finger touches the display.
other large-format technologies that is designed to sidestep this physical This additional information allows for
render traditional input techniques constraint, makes the mobile device more specific touch calibration, and,
nearly useless. In his current work at appear translucent and moves the according to Baudisch, can effectively
the Hasso Plattner Institute, Baudisch touch input to the device’s back side double the accuracy of today’s touch
focuses on projects designed to facili- so that the user’s fingers do not block technology.
tate the transition from desktop to mo- the front display. Baudisch says Nano-
bile computing. “There is a single true Touch eliminates the requirement to Increasing Human Performance
computation platform for the masses build interface controls large enough Another HCI researcher focusing on
today,” he says. “It is not the PC and not for big fingertips and makes it possible new interface technologies for mo-
One Laptop Per Child. It is the mobile to interact with devices much smaller bility is Carnegie Mellon University’s
phone—by orders of magnitude. This than today’s handheld computers and Chris Harrison, who points out that
is the exciting and promising reality we smartphones. while computers have become orders
need to design for.” In his most recent project, called of magnitude more powerful than they
One example of an interface tech- RidgePad, Baudisch is working on a were a few decades ago, users continue
nology that Baudisch designed to fa- way to improve the recognition ac- to rely on the mouse and keyboard,
cilitate this transition to mobile com- curacy of touch screens. By monitor- technologies that are approximately 45
puting is NanoTouch. While current ing not only the contact area between and 150 years old, respectively. “That’s
mobile devices offer advanced capabil- finger and screen, but also the user’s analogous to driving your car with
ities, such as touch input, they must be fingerprint within that contact area, ropes and sails,” he says. “It’s this huge
large enough to manipulate with fin- RidgePad reconstructs the exact angle disparity that gets me excited about in-
put.” Harrison, a graduate student in
CMU’s Human-Computer Interaction
Institute, says that because computers
have grown so powerful, humans are
now the bottleneck in most operations.
So the question for Harrison is how to
leverage the excess computing power
to increase human performance.
For one of Harrison’s projects, in-
creasing human performance benefit-
ted from his observation that mobile
devices frequently rest on large sur-
faces: Why not use the large surfaces
for input? This line of thinking was
the birthplace for Harrison’s Scratch
Input technology. The idea behind
Scratch Input is that instead of pick-
ing up your media player to change
songs or adjust volume, the media
player stays where it is but monitors
acoustic information with a tiny, built-
in microphone that listens to the table
TOP PH OTO COURTESY OF ILYA ROSENBERG; BOTTOM PH OTO COU RTESY OF CH RIS HA RRISON
Interpolating force sensitive resistance (IFSR), a multitouch input technology developed at
New York University’s Media Research Lab. In this demo, Ilya Rosenberg demonstrates a 24-
or desk surface. To change the volume
inch Touchco IFSR sensor that serves as an interactive desktop surface. or skip to the next track, for example,
you simply run your fingernail over the
surface of the table or desk using dif-
ferent, recognizable scratch gestures.
The media player captures the acous-
tic information propagating through
the table’s surface and executes the
appropriate command.
In addition to developing Scratch
Input, which Harrison says is now ma-
ture enough to be incorporated into
commercial products, he and his col-
leagues have been working on mul-
titouch displays that can physically
A prototype shape-shifting ATM display that can assume multiple graphical and tactile
states. The display was developed at Carnegie Mellon University’s Human-Computer deform to simulate buttons, sliders,
Interaction Institute. arrows, and keypads. “Regular touch
screens are great in that they can ren- new interface paradigms will con-
der a multitude of interfaces, but they tinue to proliferate, allowing for com-
require us to look at them,” says Har- “There is a single puter interactions far more sophisti-
rison. “You cannot touch type on your true computation cated than the traditional mouse and
iPhone.” The idea with this interface keyboard. CMU’s Harrison predicts
technology, which Harrison calls a platform for the that eventually humans will be able
shape-shifting display, is to offer some masses today,” says to walk up to a computer, wave our
of the flexibility of touch screens while hands, speak to it, stare at it, frown,
retaining some of the beneficial tactile Patrick Baudisch, laugh, and poke its buttons, all as a
properties of physical interfaces. and it “is the mobile way to communicate with the device.
Another interface strategy designed In Harrison’s vision of this multimod-
to offer new advantages while retain- phone—by orders al interfacing, computers will be able
ing some of the benefits of older tech- of magnitude. This to recognize nuanced human commu-
nology is interpolating force-sensitive nication, including voice tone, inflec-
resistance (IFSR). Developed by two re- is the exciting and tion, and volume, and will be able to
searchers at New York University, IFSR promising reality we interpret a complex range of gestures,
sensors are based on a method called eye movement, touch, and other cues.
force-sensitive resistance, which has need to design for.” “If we ever hope for human-com-
been used for three decades to create puter interaction to achieve the fluidity
force-sensing buttons for many kinds and expressiveness of human commu-
of devices. However, until Ilya Rosen- nication, we need to be equally diverse
berg and Ken Perlin collaborated on in how we approach interface design,”
the IFSR project, it was both difficult he says. Of course, not all tools and
and expensive to capture the accurate other companies to integrate IFSR technologies will require a sophisticat-
position of multiple touches on a sur- into large-touch screens and flexible ed multimodal interface to be perfectly
face using traditional FSR technology electronic displays. In addition, the functional. “To advance to the next
alone. “What we created to address this team is looking into uses as diverse song on your portable music player, a
limitation took its inspiration from hu- as musical instruments, sports shoes, simple button can be fantastically ef-
man skin, where the areas of sensitivity self-monitoring building structures, ficient,” says Harrison. “We have to be
of touch receptors overlap, thereby al- and hospital beds. diligent in preserving what works, and
lowing for an accurate triangulation of “It seems that many of the hurdles investigate what doesn’t.”
the position of a touch,” says Perlin, a are largely ones of cultural and eco-
professor of computer science at NYU’s nomic inertia,” says Perlin. “When
Further Reading
Media Research Lab. a fundamentally improved way of
In IFSR sensors, each sensor ele- doing things appears, there can be Baudisch, P. and Chu, G.
ment detects pressure in an area that significant time before its impact is Back-of-device interaction allows creating
very small touch devices. Proceedings of the
overlaps with its neighboring ele- fully felt.” 27th International Conference on Human
ments. By sampling the values from the As for the future of these and other Factors in Computing Systems, Boston, MA,
touch array, and comparing the output novel input technologies, users them- April 2009.
of neighboring elements in software, selves no doubt will have the final Csikszentmihalyi, M.
Rosenberg and Perlin found they could word in determining their utility. Still, Flow: The Psychology of Optimal
track touch points with an accuracy researchers say that as input technolo- Experience. HarperCollins, New York, 1990.
approaching 150 dots per inch, more gies evolve, the recognizable mecha- Erickson, T. and McDonald, D. W. (eds.)
than 25 times greater than the density nisms for interfacing with computers HCI Remixed: Reflections on Works That
of the array itself. “In designing a new will likely vanish altogether and be Have Influenced the HCI Community. MIT
Press, Cambridge, MA, 2008.
kind of multitouch sensor, we real- incorporated directly into our environ-
ized from the outset how much more ment and perhaps even into our own Harrison, C. and Hudson, S. E.
powerful a signal is when properly bodies. “Just as we don’t think of, say, Scratch input: creating large, inexpensive,
unpowered, and mobile finger Input
sampled,” says Rosenberg, a graduate the result of LASIK surgery as an in- surfaces. Proceedings of the 21st Annual
student in NYU’s Media Research Lab. terface, the ultimate descendents of ACM Symposium on User Interface
“So we aimed to build an input device computer interfaces will be completely Software and Technology, Monterey, CA,
that would be inherently anti-aliasing, invisible,” predicts Perlin. “They will October 2008.
down to the level of the hardware.” be incorporated in our eyes as built- Rosenberg, I. and Perlin, K.
Recognizing the increased interest in displays, implanted in our ears as The UnMouse pad: an interpolating
in flexible displays, electronic paper, speakers that properly reconstruct 3D multi-touch force-sensing input pad. ACM
Transactions on Graphics 28, 3, August 2009.
and other technologies naturally suit- spatial sound, and in our fingertips as
ed to their core technology, Rosen- touch- or haptic-sensing enhancers
Based in Los Angeles, Kirk L. Kroeker is a freelance
berg and Perlin spun off their sen- and simulators.” editor and writer specializing in science and technology.
sor technology into a startup called On the way toward such seamlessly
Touchco, and now are working with integrated technology, it’s likely that © 2010 ACM 0001-0782/10/0200 $10.00
Type Theory
Comes of Age
Type systems are moving beyond the realm of data structure
and into more complex domains like security and networking.
W
H EN T H E PH IL OSO PH E R system is C. While C does provide types,
Bertrand Russell in- its type checking system has been inten-
vented type theory at tionally compromised to provide direct
the beginning of the access to low-level machine operations
20th century, he could using arbitrary pointer arithmetic, cast-
hardly have imagined that his solution ing, and explicit allocation and deallo-
to a simple logic paradox—defining cation. However, these maneuvers are
the set of all sets not in themselves— Art in fraught with risk, sometimes resulting
would one day shape the trajectory of
21st century computer science. Development in programs riddled with bugs like buf-
fer overflows and dangling pointers that
Once the province of mathemati- can cause security vulnerabilities.
cians and social scientists, type theory By contrast, languages like Java,
has gained momentum in recent years C# , Ruby, Javascript, Python, ML, and
as a powerful tool for ensuring data Haskell are strongly typed (or “type
consistency and error-free program safe”). Their sound type systems catch
execution in modern commercial pro- any type system violations as early as
gramming languages like C#, Java, possible, freeing the programmer to
Ruby, Haskell, and others. And thanks focus debugging efforts solely on valid
to recent innovations in the field, type program operations.
systems are now moving beyond the Benjamin C. Pierce,
realm of data structure and into more University of Pennsylvania. Static and Dynamic Systems
complex domains like security and net- Broadly speaking, type systems come in
working. guarantee, the runtime would need to two flavors: static and dynamic. Stati-
First, a quick primer. In program- conduct an expensive check to deter- cally typed languages catch almost all
ming languages, a type constitutes a mine what kinds of numbers were be- errors at compile time, while dynami-
definition of a set of values (for example, ing multiplied before it could complete cally typed languages check most er-
“all integers”), and the allowable op- the routine. rors at runtime. The past 20 years have
erations on those values (for example, What distinguishes a type system seen the dominance of statically typed
addition and multiplication). A type from more conventional program-level languages like Java, C# , Scala, ML, and
system ensures the correct behavior of verification? First, a type system must Haskell. In recent years, however, dy-
any program routine by enforcing a set be “decidable”; that is, the checking namically typed languages like Scheme,
of predetermined behaviors. For exam- should happen mechanically at the ear- Smalltalk, Ruby, Javascript, Lua, Perl,
ple, in a multiplication routine, a type liest opportunity (although this does not and Python have gained in popularity
system might guarantee that a program have to happen at compilation time; it for their ease of extending programs at
will only accept arguments in the form can also be deferred to runtime). A type runtime by adding new code, new data,
of numerical values. When other values system should also be transparent; that or even manipulating the type system at
appear—like a date or a text string— is to say, a programmer should be able runtime.
the system will return an error. For to tell whether a program is valid or not Statically typed languages have re-
programmers, type systems help pre- regardless of the particular checking al- strictions and annotations that make
vent undetected execution errors. For gorithm being used. Finally, a “sound” it possible to check most type errors at
language implementers, they optimize type system prevents a program from compile time. The information used
PHOTOGRA PH BY SAL LIE DEAN SH ATZ
execution and storage efficiency. For ex- performing any operation outside its by the type checker can also be used by
ample, in Java integers are represented semantics, like manipulating arbitrary tools that help with program text-edit-
in the form of 32 bits, while doubles memory locations. ing and refactoring, which is a consid-
are represented as 64 bits. So, when a Languages without a sound type erable advantage for large modular pro-
Java routine multiplies two numbers, system are sometimes called unsafe or grams. Moreover, static type systems
the type system guarantees they are ei- weakly typed languages. Perhaps the enable change. For example, when an
ther integers or doubles. Without that best-known example of a weakly typed important data structure definition is
Improving Disaster
Management
Social networking, sophisticated imaging, and dual-use technologies promise
improved disaster management, but they must be adopted by governments
and aid agencies if more lives are to be saved in the wake of crises.
W
HEN THE SEPTEMBER 11,
2001 terrorist attacks
ripped through the
heart of New York City,
the July 7, 2005 suicide
bombings created chaos and mayhem
in central London, and the Boxing Day
2004 Indian Ocean earthquake caused
a tsunami that swept away more than
200,000 lives, information and commu-
nication technologies played a part in
disaster response. Communication was
key, but not always possible as infra-
structure collapsed and mobile phone
networks became overloaded, prompt-
ing renewed efforts to develop effective
disaster management strategies.
Research organizations, relief agen-
cies, and technology providers agree
that technology can save lives in a di-
saster, but here consensus ends, with A man uses his mobile phone’s camera to document the aftermath of the earthquake that
a rift between researchers pursuing the devastated the city of Dujiangyan, in the province of Sichuan, China, on May 12, 2008.
possibilities of Web 2.0 applications
and field workers largely committed to plications, such as Twitter, blogs, and he says. “There is a lack of informa-
their traditional toolkit of mobile and wikis, as a means of improving disaster tion sharing, which is not a technol-
satellite phones. response. “People’s use of technology ogy problem, but a problem stemming
“IT systems make it possible to han- in crises is expanding rapidly, ahead from organizations wanting things this
dle large amounts of data to assess the of the use of technology by emergency way.”
situation after a disaster has struck, management agencies,” she says. “We One advance Rao suggests is dual
but we need to move in the direction of need people in these agencies who are use of technology. During peaceful
community response, developing me- disaster and technology savvy. We also times, dual-use technology, such as a
dia centers that accommodate citizen need opinion leaders and foundations mobile phone, operates as a everyday
journalists,” says Kathleen Tierney, that fund disaster assistance to think personal communications device, but
professor of sociology and director of along new lines.” during an emergency it transforms into
the Natural Hazards Research and Ap- The concept of community response an information sensor and dissemina-
plications Information Center at the plays into the thesis of Ramesh Rao, tor. This overcomes aversion to using
University of Colorado, Boulder. “Of- director of the California Institute for different communications equipment
ficial agencies need to interact with Telecommunications and Information during a crisis and eliminates the time
citizen first responders and assess in- Technology (Calit2) at the University of lag caused by government agencies col-
formation being gathered in the field, California, San Diego. Rao believes re- lecting, processing, and distributing
rather than depending on information search into technological, sociological, crisis-related data. Direct, firsthand
that is filtered through hierarchical or- and organizational issues is critical to reports from a disaster can provide a
PHOTOGRA PH BY NICK KOZAK
ganizations. The information may not the improvement of disaster response. realistic picture, helping to avoid the
be 100% accurate, but mobile phone “There is a great opportunity to use confusion that can result from wide-
pictures taken at the scene provide the technology to improve disaster man- spread, and not always accurate, televi-
most rapid information.” agement, but at the moment people sion broadcasts.
Tierney is a proponent of Web 2.0 ap- are in the way of that improvement,” Proving the value of dual-use technol-
18 COMMUNICATIO NS O F TH E AC M | F E BR UA RY 20 1 0 | VOL . 5 3 | N O. 2
news
ogy, Calit2 has developed a peer-to-peer add information. It was tested during
incident notification system that builds the 2008 earthquake in the Sichuan
on the concept of human sensors. The Disaster response province of China, with about 100 en-
human sensors collect and relay infor- needs to “move gineers accessing before and after sat-
mation about events, such as wildfires ellite imagery to monitor the extent of
and traffic accidents, to first respond- in the direction damage in the region.
ers and the general public using mobile of community “The viewer allows users to conduct
phones. a virtual disaster survey without leav-
The notification system is available response, developing ing their desks,” says ImageCat CEO
across all of California’s major cities media centers that Ronald Eguchi. “In the future, people
and is based on speech recognition, al- at the scene who take pictures with
lowing commuters to call in and report accommodate citizen mobile phones will be able to upload
incidents, or call in and listen about journalists,” says them to the viewer. We are in discus-
events that could disrupt their travel. sion with the United Nations about
Content is self-regulated with users Kathleen Tierney. how it could use the viewer in disaster
flagging incidents that are irrelevant management.”
or abusive, and the notification system With a myriad of sensors around
includes algorithms that rate users who the world and optical and radar satel-
report incidents. Conversely, the system lite images of an adequate resolution
can notify all users of an incident via a to see people on the ground, the possi-
voice call or text message. bilities of gathering and sharing data,
“If you see an accident and call 911, New Thinking, New Tools such as earthquake, coastal, and hur-
the police come, the local radio station Stepping out of research labs and into ricane images, are almost boundless
picks up what has happened and trans- the commercial world, disaster man- and could support significant humani-
mits the problem, but that’s often too agement development follows the tarian relief efforts.
late to allow commuters to get off the path of improved global communica- The benefits of satellite images in
highway,” Ganz Chockalingam, princi- tion and social networking. Image- disaster response are not limited to
pal development engineer at Calit2 and Cat, a risk-management innovation countries that own satellites, however,
developer of the notification system, ex- company based in Long Beach, CA, and disaster-struck countries can acti-
plains. “The incident notification system works with government, industry, and vate a clause of the Charter of the Unit-
is successful because there is no middle research organizations to develop new ed Nations that requires imagery to be
man and no time delay. Typically, we get thinking, tools, and services that are made available to a nation in distress.
about 1,000 calls a day, but during the available to both government agen- Eguchi believes much more can be
California wildfires [in 2009] that went cies and businesses, such as insurance done with technology to save lives in
up to about 10,000 calls a day.” companies that need to estimate loss- a disaster, but also recognizes the re-
Unlike traditional disaster manage- es after a disaster. alities of aid agencies. “Technologies
ment systems that are inflexible and ImageCat also concentrates on such as the virtual disaster viewer are
constrained by capacity, this peer-to- remote sensing and geographic in- new to aid agencies. Agencies need
peer system can scale to deliver real- formation systems. One recent devel- technology that is tested and validat-
time information during a disaster as opment is a virtual disaster viewer, a ed, that adds value to what they do and
there is no single channel of informa- Web-based system that uses remote demonstrates efficiency in getting the
tion and no single point of information sensors to gather information that right information to the right people at
control. The project is currently fund- can be displayed and used to assess the right time,” he says.
ed by Calit2, although Chockalingam the aftermath of disaster. The viewer UNICEF workers say the best in-field
points out that costs are relatively low as is a social networking-type tool to technologies for disaster management
much depends on user technology. which researchers and the public can are simple to use, low maintenance,
lightweight, and cheap. Reflecting munications infrastructure. ogy can save more lives, it is important
Rao’s promotion of dual-use technolo- International humanitarian aid to not ignore the self-imposed threat
gies that require minimal training, agency Mercy Corps also focuses on created by technology development
UNICEF is pioneering RapidSMS and communication. “The driving force and nurtured by those who see it as a
a field-based communications system behind all the equipment we carry is weapon with which to kill rather than a
called Bee. communications and we use the cheap- shield with which to protect.
RapidSMS provides real-time trans- est services we can find,” says Richard “In the 2008 Mumbai hotel bomb-
mission of data in a breaking emer- Jacquot, a member of Mercy Corps’ ing, the terrorists were more effective
gency or in a long-standing disaster, al- global emergency operations team. in their use of technology than the offi-
lowing aid workers to monitor supplies “We all carry a BlackBerry, a cheap lo- cials,” notes Rao. “They used informa-
and report on situations that require cal mobile, a satellite phone such as the tion systems and cell phones, while the
immediate response. At the moment, Inmarsat BGAN, sometimes a VHF ra- commandos sent in to clean up did not
it is being used in a number of African dio set and a laptop equipped with ap- have cell phones, so they couldn’t com-
countries to monitor nutrition, water, plications, including Microsoft Office, municate with each other or people in
sanitation, and supply chains. email, and a Web browser. Where there the hotel.
UNICEF’s Bee is an open source is no network, or when a hostile govern- “Official organizations are slow and
emergency telecommunications sys- ment blocks access to local networks, their thinking is ossified,” Rao says,
tem that provides Internet access in ar- we depend on satellite technology.” “but that will change and technology
eas where infrastructure is nonexistent Far from the world of Web 2.0 col- will be better used to reduce the loss of
or unusable. It provides a telephony laboration tools in the war-torn regions lives in disaster management and sup-
service and Wi-Fi access to applica- of Africa and Asia, Jacquot’s technology port quicker recovery of communities
tions such as ones that monitor health request is simple. “We have to carry too and infrastructure.”
and track supplies. The Bee system re- many tools, then we have to get autho-
quires no tools, and can be installed by rization for them depending on where
Further Reading
a field worker and be operational within we are. Integrating everything into one
30 minutes. Working with RapidSMS, device is too much to ask for, but some Dilmaghani, B. and Rao, R.
it helps UNICEF provision supplies integration would be great,” he says. A systematic approach to improve
communication for emergency response.
appropriately and gives workers im- While those in the labs developing Proceedings of the 42nd Hawaii
mediate warnings of potential health technology applications for disaster International Conference on System
risks and disease outbreaks. When an management and those in the field Sciences, Waikoloa, HI, January 2009.
area stabilizes, the Bee system is left in seeking simple, usable, and affordable Lien, Y.N., Tsai, T.C., and Jang, H.C.
place, acting as a base for a new com- solutions share the belief that technol- A MANET-based emergency communication
and information system for catastrophic
natural disasters. 2009 29th IEEE
International Conference on Distributed
Computing Systems, Montreal, Canada,
June 2009.
Palen, L. and Liu, S.
Citizen communications in crisis:
anticipating a future of ICT-supported
public participation. Proceedings of the 25th
International Conference on Human Factors
in Computing Systems, San Jose, CA, April
2007.
Shklovski, I., Palen, L., and Sutton, J.
Finding community through information
and communication technology in disaster
response. Proceedings of the ACM 2008
Conference on Computer Supported
Cooperative Work, San Diego, CA, November
2008.
Showalter, P. and Lu, Y. (eds.)
Geospatial Techniques in Urban Hazard and
Disaster Analysis. Springer, New York, 2009.
Tierney, K.
PHOTOGRA PH BY UNICEF/ EVA N WH EELER
News | DOI:10.1145/1646353.1646381
T
HE ACM FELLOW PROGRAM was sity courses, computing programs, and Erich L. Kaltofen,
established by Council in 1993 hardware for the emerging computer/ North Carolina State University
to recognize and honor out- communications amalgam reflect the David Karger,
standing ACM members for powers of their vision and their ability to Massachusetts Institute
their achievements in com- inspire colleagues and students to drive of Technology
puter science and information technol- the field forward. The members of the Arie E. Kaufman,
ogy and for their significant contributions ACM are all participants in building the State University of New York
to the mission of the ACM. The ACM Fel- runways, launching pads, and vehicles of at Stony Brook
lows serve as distinguished colleagues the global information infrastructure. Hans-Peter Kriegel,
to whom the ACM and its members look University of Munich (Ludwig-
for guidance and leadership as the world ACM Fellows Maximilians-Universitaet Muenchen)
of information technology evolves. Hagit Attiya, Technion Maurizio Lenzerini,
The ACM Council endorsed the es- David F. Bacon, IBM T.J. Watson Sapienza Universitá di Roma
tablishment of a Fellows Program and Research Center John C.S. Lui,
provided guidance to the ACM Fellows Ricardo Baeza-Yates, Yahoo! Research The Chinese University of Hong Kong
Committee, taking the view that the pro- Chandrajit L. Bajaj, Dinesh Manocha,
gram represents a concrete benefit to University of Texas at Austin University of North Carolina
which any ACM member might aspire, Vijay Bhatkar, at Chapel Hill
and provides an important source of International Institute of Margaret Martonosi,
role models for existing and prospective Information Technology, Pune Princeton University
ACM Members. The program is man- José A. Blakeley, Microsoft Corporation Yossi Matias, Google, Inc.
aged by the ACM Fellows Committee Gaetano Borriello, Renee J. Miller,
as part of the general ACM Awards pro- University of Washington University of Toronto
gram administered by Calvin C. Gotlieb Alok Choudhary, John T. Riedl,
and James J. Horning. For details on Fel- Northwestern University University of Minnesota
lows nominations, see p. 19. Nell B. Dale, Martin Rinard,
The men and women honored as University of Texas at Austin (Emerita) CSAIL-MIT
ACM Fellows have made critical contri- Bruce S. Davie, Cisco Systems Patricia Selinger, IBM Research
butions toward and continue to exhibit Jeffrey A. Dean, Google, Inc. R. K. Shyamasundar,
extraordinary leadership in the develop- Thomas L. Dean, Google, Inc. Tata Institute of
ment of the Information Age and will be Bruce R. Donald, Duke University Fundamental Research
inducted at the ACM Awards Banquet Thomas Erickson, Shang-Hua Teng,
on June 26, 2010, in San Francisco, CA. IBM T. J. Watson Research Center University of Southern California
These 47 new inductees bring the to- Gerhard Fischer, Chandramohan A. Thekkath,
tal number of ACM Fellows to 722 (see University of Colorado Microsoft Corporation -
www.acm.org/awards/fellows/ for the Ian T. Foster, Microsoft Research
complete listing of ACM Fellows). Argonne National Laboratory/ Robbert van Renesse,
Their works span all horizons in University of Chicago Cornell University
computer science and information Andrew V. Goldberg, Baba C. Vemuri,
technology: from the theoretical realms Microsoft Research Silicon Valley University of Florida
of numerical analysis, combinatorial Michael T. Goodrich, Paulo Veríssimo,
mathematics and algorithmic com- University of California, Irvine University of Lisbon
plexity analysis; through provinces of Venugopal Govindaraju, Martin Vetterli,
computer architecture, integrated cir- University at Buffalo, SUNY Ecole Polytechnic Federale
cuits and firmware spanning personal Rajiv Gupta, de Lausanne (EPFL)
computer to supercomputer design; University of California, Riverside Kyu-Young Whang,
into the limitless world of software and Joseph M. Hellerstein, Korea Advanced Institute of Science
networking that makes computer sys- University of California, Berkeley and Technology (KAIST)
tems work and produces solutions and Laurie Hendren, McGill University Yorick Wilks,
results that are useful—and fun—for Urs Hoelzle, Google, Inc. University of Sheffield
people everywhere. Farnam Jahanian, Terry Winograd,
Their technical papers, books, univer- University of Michigan Stanford University
I
N TERMS OF sales, remote surveil- and recordings are stored on hard disks, unattended objects—will enable a wide
lance camera systems—com- rather than tapes. Integration with other range of possible technology solutions
monly known as closed-circuit digital technologies offers further possi- (imagine the whole industry salivating).
television (CCTV)—are a huge bilities: image processing makes it pos- The burgeoning sales figures and
success story. Billons of dollars sible to recognize automobile license ubiquity of cameras suggest that sure-
are spent on CCTV schemes by govern- plates automatically and match them ly CCTV technology must be effective.
ments in developed countries each year, against databases to check if a vehicle The U.K. government has invested
and sales to commercial companies and has been reported as stolen, or is unin- heavily in CCTV over the past 15 years,
home users have been increasing, too. sured. Advances in hardware—such as making it the country with the highest
CCTV can be used for many purposes— high-definition cameras—and image CCTV camera-to-person ratio on earth
ranging from monitoring traffic flows on processing—such as the ability to pro- (Greater London alone has one cam-
highways, to allowing visitors in zoos to cess face and iris information from im- era for every six citizens). A key driver
observe newborn animals during their ages taken at a distance, not detecting for adoption was that local authorities
first few days without disturbing them. seeking to combat crime could obtain
The vast majority of CCTV purchases are government funds to purchase CCTV.
made with the aim of improving safety The burgeoning In the public debate, this policy has
and security. The London Underground been justified mainly with two argu-
was the first public transport operator sales figures and ments: “the public wants it,” and “surely
to install cameras on station platforms, ubiquity of cameras it’s obvious that it works.” As evidence
so train drivers could check doors were for the latter, policymakers often point
clear before closing them. CCTV has suggest that surely to high-profile (and often highly emo-
come a long way since then: last sum- CCTV technology tionally charged) cases:
! In 1993, CCTV images from a shop-
mer, the technology writer Cory Doc-
torow noticed that a single London bus must be effective. ping mall camera showed police in-
now has 16 cameras on it (see Figure 1). vestigators that the murdered toddler
The advance from analog to digital tech- James Bulger had been abducted by
nology had a major impact on CCTV: two teenagers, who were then appre-
cameras are much smaller and cheaper, hended and convicted.
video is often transmitted wirelessly, ! Images from London Transport
cameras led to the identification and Davenport, a leading criminal lawyer to crime prevention” that was dangerous
apprehension of the four men who in Manchester, said images from CCTV because it created “a false sense of secu-
carried out the failed 7/21 “copycat” did not prevent crime or help bring rity, encouraging [citizens] to be careless
bombing attempts in 2005. criminals to justice.3 He prosecuted with property and personal safety.”6
The still images from these cases the killers of a man kicked to death out- Thus, the effectiveness of CCTV is
(see Figure 2a/b) have become iconic— side a pub. The incident was recorded being questioned in the country that
visual proof that CCTV works. Those on CCTV, but police officers did not has been a leading and enthusiastic
who questioned its value in the pub- arrive in time to stop the attack, plus adopter. Surely, this must ring alarm
lic debate, and dared to mention the the quality of the recorded footage was bells in the industry supplying such sys-
“p-word”—were largely dismissed as too low to be used for identification tems? Not really. The industry response
“privacy cranks,” out of touch with the purposes in court. (The killers were is that more advanced technology will
needs of policing and the wishes of or- convicted on eyewitness evidence.) The fix any problems. High-definition cam-
dinary citizens. But over the past two chief executive of a company that helps eras, for instance, would provide better
years, new doubts have been raised police analyze CCTV footage estimated image quality and increase likelihood
over the benefits: “that about half of the CCTV cameras in of identification. The same chief ex-
! In summer 2008, a report by Lon- the country are next to useless when it ecutive who said that half of all cur-
don police concluded that CCTV con- comes to safeguarding the public against rent cameras were useless suggests
tributed to solving about 3% of street crime and assisting the police to secure that “intelligent cameras” will improve
PHOTO C OLL AGE BASED O N A P HOTOGRAP H BY TOM PAGE
crimes. About £500 million ($700 mil- convictions.” Bromley-Davenport said effectiveness and reduce privacy inva-
lion) has been spent on publicly fund- that large amounts of money spent sion because they “only alerting a police
ed CCTV in Greater London. on technology meant less money was officer when a potential incident is tak-
! In August 2009, a senior officer in available to have police officers on the ing place.” London police experts also
the London police stated that, on an street—and that police presence was hope that “future technology will boost
annual basis, about one crime was re- what mattered for preventing crime. conviction rates using CCTV evidence.”
solved for every 1,000 cameras in oper- ! In October 2009, design college The proposals for new technology
ation. He warned “police must do more professor Mike Press called for a mora- and effectiveness include building a na-
to head off a crisis in public confidence torium on further CCTV deployments tional CCTV database of convicted of-
over the use of surveillance cameras.” in Scotland, because the technology fenders and unidentified suspects, and
! In September 2009, John Bromley- was “costly and futile […] a lazy approach use of “tracking technology developed by
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 23
viewpoints
Education
Why an Informatics Degree?
Isn’t computer science enough?
W
H A T I S A N informat-
ics degree, and why?
These are questions
that have been posed
to us on innumerable
occasions for almost a decade by stu-
dents, parents, employers, and col-
leagues, and when asked to prepare a
Communications Education column to
answer that question, we jumped at
the opportunity.
The term “informatics” has differ-
ent definitions depending on where
it is used. In Europe, for instance,
computer science is referred to as in-
formatics. In the U.S., however, infor-
matics is linked with applied comput-
ing, or computing in the context of
another domain. These are just labels,
of course. In practice, we are educating Informatics programs offer diverse applications, as shown in these scenes from
for a broad continuum of computing the informatics program at Indiana University, Bloomington.
disciplines, applications, and contexts
encountered in society today. auction technology, computer scien- ence, any more than statistics is owned
tists found that they needed to under- solely by faculty in statistics depart-
From Computer stand how humans would select bid- ments. Computing and computational
Science to Informatics ding strategies given the system design, thinking have become ubiquitous, and
IMAGES COURTESY OF INDIANA UNIVERSIT Y SCH OOL OF INFORMATIC S A ND COM PUTING
Computing provides the foundation and indeed how to design the system embedded in all aspects of science, re-
for science, industry, and ultimately to motivate certain types of behavior search, industry, government, and so-
for the success of society. Computing (truthful value revelation, for example). cial interaction. Consider the flurry of
education traditionally has focused on This co-design problem led to fruitful excitement about “e-commerce” in the
a set of core technological and theo- interdisciplinary collaborations be- late 1990s. Quickly e-commerce moved
retical concepts, and teaching these tween computer scientists, economists from being seen as a new field to being
concepts remains critically important. and, increasingly, social psychologists. absorbed in “commerce”: the study of
Meanwhile, advances in computing oc- Likewise, designing successful tech- business communications, logistics,
cur and are driven by the need to solve nology for trust, privacy, reputation, fulfillment, and strategy, for which the
increasingly complex problems in do- and sharing in social computing envi- Internet and computing were just two
mains outside traditional computer ronments requires both computer sci- technologies in a complex infrastructure.
science. Students, teachers, and schol- ence and behavioral science. How then does computing educa-
ars in other fields are keenly interested These interactions between problem tion need to change to respond to the
in computational thinking, and com- domain context and computational de- new reality, and more importantly, to
puting itself increasingly is informed sign are characteristic of the maturing be equipped to respond to future de-
by the challenges of other disciplines. of computer science. Computing is no velopments? We must embrace the
For example, to design good online longer owned solely by computer sci- diversity of ways in which problems
are solved through the effective use of an informatics degree, which was first
computing, and we must better under- offered in 2000. Its informatics curricu-
stand the diverse problem domains The success of lum is focused along three dimensions
themselves. computing is in that are first presented in an introduc-
The vision for informatics follows tory course: foundations, implications,
from the natural evolution of comput- the resolution of and applications. Unlike most tradi-
ing. The success of computing is in the problems, found tional computer science curricula, the
resolution of problems, found in areas introductory course does not focus on
that are predominately outside of com- in areas that are programming as the sole problem-
puting. Advances in computing—and predominately solving paradigm. Instead, a number
computing education—require greater of skills, concepts, and problem solv-
understanding of the problems where outside of computing. ing techniques are introduced and
they are found: in business, science, motivated by context-based problems,
and the arts and humanities. Students including logical reasoning, basic pro-
must still learn computing, but they gramming, teamwork, data visualiza-
must learn it in contextualized ways. tion, and presentation skills. Following
This, then, provides a definition for in- this introduction, foundations courses
formatics: informatics is a discipline sity), “Interactive Computing” (Georgia include discrete math and logical rea-
that solves problems through the appli- Tech), “Information Technology and soning, a two-course programming
cation of computing or computation, in Informatics” (Rutgers), and “Informa- sequence, and a course on data and
the context of the domain of the prob- tion Science and Technology” (Penn information representation, while
lem. Broadening computer science State). Some programs emerged pri- implications courses include social
through attention to informatics not marily from computer science roots; informatics and human computer in-
only offers insights that will drive ad- others from information and social sci- teraction. The foundations topics are
vances in computing, but also more op- ence roots. They do all generally agree similar to those in a computer science
tions and areas of inquiry for students, on the centrality of the interaction of program; however, the ordering is quite
which will draw increasing numbers of people and technology, and thus re- different, in that programming comes
them to study computation. gardless of origin they are multidisci- last rather than first. This sequencing
plinary and focus on computation in increases retention in the major be-
Informatics Programs human contexts. cause students have more time to de-
Computer science is focused on the Informatics is fundamentally an velop their technical skills.
design of hardware and software tech- interdisciplinary approach to domain At Indiana, the interdisciplinary
nology that provides computation. problems, and as such is limited nei- component of the curriculum is ac-
Informatics, in general, studies the ther to a single discipline nor a single complished through a mixture of three
intersection of people, information, domain. This is evident in another type methods: elective courses covering
and technology systems. It focuses on of diversity in such programs: some technology use and issues in specific
the ever-expanding, ubiquitous, and take a fairly broad approach, with problem domains; a required senior
embedded relationship between infor- several distinct tracks or application capstone project, aimed at solving a
mation systems and the daily lives of domains, which can range as widely “real-world” problem; and a required
people, from simple systems that sup- as art and design, history, linguistics, cognate specialization of at least five
port personal information manage- biology, sociology, statistics and eco- courses in another discipline. There
ment to massive distributed databases nomics. Other programs are limited are currently over 30 different special-
manipulated in real time. The field to a single application domain, such izations from around 20 disciplines
helps design new uses for information as bioinformatics (for example, Iowa available, including: business, fine
technology that reflect and enhance State, Brigham Young, and UC Santa arts, economics, information security,
the way people create, find, and use Cruz). Thus, informatics programs can biology, chemistry, telecommunica-
information, and it takes into account have as many differences as they have tions, and geography.
the strategic, social, cultural, and orga- commonalities. This has been reflect- The School of Information (SI) at
nizational settings in which those solu- ed in some confusion and frustration the University of Michigan has offered
tions will be used. about how to establish a community master’s and Ph.D. degrees in Informa-
In the U.S., informatics programs of interest. For example, there is an tion since 1996. In 2008 SI joined with
emerged over the past decade, though “iSchool” caucus (about 27 members), the Computer Science and Engineering
not always under the informatics and a partially overlapping CRA (IT) Division, and the College of Literature,
name, and often in different flavors Deans group (about 40 members). To Science and Arts, to offer a joint under-
that bear the unique stamp of their illustrate some of the issues, we will graduate informatics degree. To enter
faculty. Prominent examples include describe two of the broader programs the major, students are required to com-
“Informatics” (Indiana University, Uni- with which we are most familiar. plete one prerequisite each in calculus,
versity of Michigan, University of Wash- The School of Informatics and Com- programming, statistics, and informa-
ington, UC Irvine), “Human Computer puting at Indiana University Blooming- tion science. They then take a 16-credit
Interaction” (Carnegie Mellon Univer- ton offers a traditional CS degree and core in discrete math, data structures,
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 27
viewpoints
strong foundation, domain depth and
interdisciplinary training. However, to
tics, and economics. This diversity has
costs, of course. One is that for now,
accomplish all of this, it also imposes in the early years, students and faculty
on students the heaviest required-credit
burden of any liberal arts major.
must continuously explain “informat-
ics” to potential employers. Another is
The equal participation by the Com-
puter Science and Engineering Division
providing strong enough foundations
in both computation and another dis-
in the Michigan degree emphasizes the
ability to design an informatics pro-
cipline to produce competitive, suc-
cessful graduates.
gram as a complement to a traditional The desire to deeply understand
computer science degree; indeed, the how computing works is what has
Computer Science and Engineering Di- drawn most researchers to study com-
vision continues to offer two traditional puter science. These same individuals
CS bachelor’s degrees (one in engineer- are then invested with the responsibil-
ing, one in liberal arts). One advantage ity to develop curricular programs and
expected for the contextualized infor- teach computing to the next genera-
matics degree is higher enrollment tion of computing professionals. The
of women, and indeed, about half the current (and all future) generations of
class of declared majors is female. On students entering the university have
the downside, managing a degree that largely grown up in a world where
spans three colleges and schools is computing is so commonplace that
challenging, with natural hurdles such it is taken for granted. Many of them
as teaching budgets and credit approv- are less interested in how computing
als across units. works than in how to make it work bet-
ter in the solution of specific problems,
Looking Forward drawn from virtually all other domains
Informatics curricula are young and de- of human knowledge. There will always
veloping, but have proven popular. Indi- be a need for students who study com-
ana has over 400 students in the major. puter science. Informatics provides a
In just its first year, Michigan attracted complementary path to reach other
40 undergraduate majors. Evidence students for whom understanding and
comes also from successful courses developing computation contextually
offered outside a formal informatics is crucial to the problems that motivate
program. For example, a computer them. Like mathematics, probability,
scientist and an economist at Cornell and logic, in the future computation
enroll about 300 students annually in science will be taught embedded in
interdisciplinary “Networks,” which many other areas. Indeed, informatics
counts toward the majors in Computer is a path within which the technical ac-
Science, Economics, Sociology, and In- complishments of computer science,
formation Science.a At the University of mathematics, and statistics become
Pennsylvania, “Networked Life” (taught embedded in the ways we interact,
by a computer scientist) attracts about
200 students, and satisfies require-
imagine, and produce throughout the
scope of human experience.
ments in three majors: Philosophy,
Politics, and Economics; Science, Tech- Dennis P. Groth (dgroth@indiana.edu) is Associate Dean
for Undergraduate Studies and Associate Professor of
nology, and Society; and Computer and Informatics in the School of Informatics and Computing
Information Science.b at Indiana University, Bloomington.
Inside Risks
The Need for a National
Cybersecurity Research and
Development Agenda
Government-funded initiatives, in cooperation with private-sector partners in
key technology areas, are fundamental to cybersecurity technical transformation.
Communications’ Inside Risks col-
umns over the past two decades have
frequently been concerned with trust-
worthiness of computer-communica-
tion systems and the applications built
upon them. This column considers what
is needed to attain new progress toward
avoiding the risks that have prevailed
in the past as a U.S. national cybersecu- ART IN
rity R&D agenda is being developed. Al-
though the author writes from the per- DEVELOPMENT
spective of someone deeply involved in
research and development of trustwor-
thy systems in the U.S. Department of
Homeland Security, what is described
here is applicable much more univer-
sally. The risks of not doing what is de-
scribed here are very significant.
—Peter G. Neumann
C
President Barack Obama greets White House Cyber Security Chief Howard A. Schmidt, who
complex,
Y B E R S PAC E I S T H E was appointed in December 2009.
dynamic, globally intercon-
nected digital and infor- The U.S. and the world at large are Background
mation infrastructure that currently at a significant decision On January 8, 2008, National Security
underpins every facet of so- point. We must continue to defend Presidential Directive 54/Homeland Se-
ciety and provides critical support for our existing systems and networks. At curity Presidential Directive 23 formal-
OFF ICIAL WH ITE H OUSE PHOTO BY L AW RENCE JACKSON
our personal communication, econo- the same time, we must attempt to be ized the Comprehensive National Cyber-
my, civil infrastructure, public safety, ahead of our adversaries, and ensure security Initiative (CNCI) and a series of
and national security. Just as our de- future generations of technology will continuous efforts designed to establish
pendence on cyberspace is deep, so position us to better protect critical a frontline defense (reducing current
too must be our trust in cyberspace, infrastructures and respond to at- vulnerabilities and preventing intru-
and we must provide technical and tacks from adversaries. Government- sions), which will protect against the
policy solutions that enable four funded research and development full spectrum of threats by using intel-
critical aspects of trustworthy cyber- must play an increasing role toward ligence and strengthening supply chain
space: security, reliability, privacy, achieving this goal of national and security, and shaping the future environ-
and usability. economic security. ment by enhancing our research, devel-
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 29
viewpoints
opment, and education, as well as invest- same time, STEM jobs are growing, published by various academic and in-
ing in “leap-ahead” technologies. and CS jobs are growing faster than dustry groups, and government depart-
No single federal agency “owns” the national average. ments and agencies (these documents
the issue of cybersecurity. In fact, the At a time when the U.S. experiences can be found online at http://www.cyber.
federal government does not uniquely cyberattacks daily and as global com- st.dhs.gov/documents.html). A 2006
own cybersecurity. It is a national and petition continues to increase, the U.S. federal R&D plan identified at least
global challenge with far-reaching cannot afford continued ineffective ed- eight areas of interest with over 50
consequences that requires a coopera- ucational measures and programs. Re- project topics that were either being
tive, comprehensive effort across the vitalizing educational systems can take funded or should be funded by federal
public and private sectors. However, years before results are seen. As part of R&D entities. Many of these topic areas
as it has done historically, the U.S. gov- an overall national cybersecurity R&D have been on the various lists for over a
ernment R&D community, working in agenda, the U.S. must incite an extraor- decade. Why? Because the U.S. has un-
close cooperation with private-sector dinary shift in the number of students derinvested in these R&D areas, both
partners in key technology areas, can in STEM education quickly to avoid a within the government and private
jump-start the necessary fundamental serious shortage of computer scien- R&D communities.
technical transformation. tists, engineers, and technologists in The Comprehensive National Cy-
the decades to come. ber Initiative (CNCI) and the Presi-
Partnerships Public-Private Partnerships. Infor- dent’s Cyberspace Policy Review3
The federal government must reener- mation and communications net- challenged the federal networks and
gize two key partnerships to success- works are largely owned and operated IT research community to figure out
fully secure the future cyberspace: the by the private sector, both nationally how to “change the game” to address
partnership with the educational sys- and internationally. Thus, addressing these technical issues. Over the past
tem and the partnership with the private cybersecurity issues requires public- year, through the National Cyber Leap
sector. The Taulbee Survey2 has shown private partnerships as well as inter- Year (NCLY) Summit and a wide range
that our current educational system is national cooperation. The public and of other activities, the U.S. government
not producing the cyberspace workers private sector interests are dependent research community sought to elicit
of the future and the current public- on each other and share a responsibil- the best ideas from the research and
private partnerships are inadequate for ity for ensuring a secure, reliable infra- technology community. The vision of
taking R&D results and deploying them structure. As the federal government the CNCI research community over the
across the global infrastructure. moves forward to enhance its partner- next 10 years is to “transform the cyber-
Education. A serious, long-term ships with the private sector, research infrastructure to be resistant to attack
problem with ramifications for na- and development must be included in so that critical national interests are
tional security and economic growth is the discussion. More and more private- protected from catastrophic damage
looming: there are not enough U.S. cit- sector R&D is falling by the wayside and our society can confidently adopt
izens with computer science (CS) and and, therefore, it is even more impor- new technological advances.”
science, technology, engineering, and tant that government-funded R&D can The leap-ahead strategy aligns with
mathematics (STEM) degrees being make its way to the private sector, given the consensus of the U.S. networking
produced. The decline in CS enroll- it designs, builds, owns, and operates and cybersecurity research communi-
ments and degrees is most acute. The most of the critical infrastructures. ties: That the only long-term solution to
decline in undergraduate CS degrees the vulnerabilities of today’s network-
portends the decline in master’s and Technical Agenda ing and information technologies is to
doctoral degrees as well. Enrollments Over the past decade there have been ensure that future generations of these
in major university CS departments a significant number of R&D agendas technologies are designed with security
have fallen sharply in the last few years, built in from the ground up. Federal
while the demand for computer scien- agencies with mission-critical needs
tists and software engineers is high The current public- for increased cybersecurity, which in-
and growing. The Taulbee Survey2 cludes information assurance as well as
confirmed that CS (including comput- private partnerships network and system security, can play a
er engineering) enrollments are down are inadequate for direct role in determining research pri-
50% from only five years ago, a pre- orities and assessing emerging technol-
cipitous drop by any measure. Since taking R&D results ogy prototypes.
CS degrees are a subset of the overall and deploying them The Department of Homeland Secu-
requirement for STEM degrees and rity Science and Technology Director-
show the most significant downturn, across the global ate has published its own roadmap in
CS degree production can be consid- infrastructure. an effort to provide more R&D direction
ered a bellwether to the overall condi- for the community. The Cybersecurity
tion and trend of STEM education. The Research Roadmap1 addresses a broad
problems with other STEM degrees are R&D agenda that is required to enable
equally disconcerting and require im- production of the technologies that will
mediate and effective action. At the protect future information systems and
program, with probable transition nering, and sometimes good fortune. Copyright held by author.
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 31
V
viewpoints
Viewpoint
Open Access to
Scientific Publications
The good, the bad, and the ugly.
I
2009 Communica-
N H I S JU LY
tions editor’s letter “Open,
Closed, or Clopen Access?”,
editor-in-chief Moshe Vardi
addressed the question of
open access to this magazine and
to ACM publications in general. Sci-
entific publishing, like all areas of
publishing, is undergoing major
changes. One reason is the advent
of the Internet, which fosters new
types of publishing models. Another
less-known factor is the exponential
increase in the number of scientific
publications (see the figure here),
which has turned this area into a seri-
ous business. In this column, I take a
look at commercial and Open Access
publishing, and at the role that pro-
fessional societies such as ACM can
play in this evolving world.
Commercial Publishing
Scientific publishing is a profitable PHOTOGRA PH BY A NNA CREECH , O PEN ACC ESS LOGO BY PUBL IC LIBRA RY OF SCIENC E
business: at more than 30%, the op-
erating profit margins of major com-
mercial publishers are one of the
highest across all businesses.a A ma-
jor consequence has been a massive
concentration of commercial editors
of scientific, technical, and medical
(STM) publications, with one giant (El- whereby, for example, publishers sell tion among publishers, impact factors
sevier) and a few big players (Springer, subscriptions to a bundle of titles that can be, and are, manipulated: Com-
Thomson, Wiley). This concentration typically contain one or two good jour- mercial publishers ask their editors-in-
has coincided with sharp increases nals among a set of second-tier ones. chief to “encourage” authors of accept-
in subscription rates, and has gener- The quality of a journal is typically ed papers to include references to their
ated razor-sharp business practices measured by its impact factor—the av- journals. (Since they pay their editors-
erage number of citations to articles in in-chief, it makes them more “recep-
a See, for example, http://www.researchinforma- this journal over a unit time (typically tive” to such requests.) The Web-based
tion.info/features/feature.php?feature_id=141 three years). Because of the competi- version of EndNote, the well-known
reference searching tool, facilitates ref- Exponential increase in the scientific production in the medical (MED) and natural sciences
erences to publications indexed by ISI and engineering (NSE) fields. The vertical scale is logarithmic. The number of published
Web-of-Science, the division of Thom- articles for 2004 is about 500,000 and the number of references is about 10 million.
son that computes the very impact fac- Data provided by Yves Gingras.
tors mentioned previously.
Over the years, commercial STM 100,000,000
publishing has become a cutthroat MED--
Reference
business with cutthroat practices and 10,000,000,
NSE--
we, the scientific and academic com- Reference
1,000,000
munity, are the naive lambs, blinded
by the ideals of science for the public 100,000
good—or simply in need of more pub- MED- All-
papers
lications to advance our careers. 10,000
Fortunately, a number of research- NSE- All-
papers
ers and academic leaders woke up 1,000
1900 1920 1940 1960 1980 2000
one day and said: “We do not need
commercial publishers. We want the
results of our research, which is of-
ten funded by taxpayers’ money, to be Open Access and accepts such costs. able to publish more and more easily
available for free to the public at large. But how much are authors ready to than the poor. And even though Open
With the Internet, the costs of publish- pay to publish an article? A few hun- Access publishers do have policies to
ing are almost zero, and therefore we dred dollars? The most prominent lower or waive the fees for those who
can make this work.” And so was born Open Access publisher, the Public Li- cannot pay, it is embarrassing just to
the white knight of STM publishing: brary of Science (PLOS), is a nonprofit have to ask.
Open Access. organization that has received several In fact, those who benefit the most
million dollars in donations. Yet it from this model are neither the scien-
Open-Access Publishing charges between $1,350 and $2,900 tific community nor the general pub-
But the proponents of Open Access per paper, depending on the journal.d lic. They are the big pharmaceutical
quickly realized that online publishing In fact, many in the profession esti- labs and the tech firms who publish
is not free, nor cheap. Management, mate that to be sustainable, the au- very little but rely on the publication
equipment, and access costs add up thor-pay model will need to charge up of scientific results for their business-
quickly. For example, ACM spends sev- to $5,000–$8,000 per publication. es.e With author-pay, research will pay
eral million dollars every year to sup- Consider what this means. For ex- so that industry can get their results
port the reliable data center serving the ample, I am the head of the Laborato- for free. Is this moral? The only other
Digital Libraryb and to incorporate new ry for Computer Science at Université area in publishing where authors pay
data, improve cross-references, and de- Paris-Sud in France. We publish over to get published is called the vanity
velop new services. 100 journal articles annually. At the press. Do we really want to enter that
Since Open Access needs funding, conservative estimate of $2,500 per model?
where can it come from?c An obvious article, the author fees would cost us Not surprisingly, commercial pub-
answer is advertising, but it is not a sus- $250,000 per year. This is more than lishers have considered Open Access a
tainable option at least for now. A less four times our current budget for potential threat. But they quickly real-
obvious answer, but one that is quickly journal subscriptions. And, of course, ized that the author-pay model could
gaining momentum, is called author since not every publisher is going work for them, too. Many publishers
charges (or publication fees): since to turn to that model overnight, we are already testing a dual-model: au-
Open Access does not charge readers, would have to keep traditional sub- thors can publish an article without
authors will pay to publish their works. scriptions. At $5,000 per publication, charge, in which case it is available to
This should be painless for authors be- my lab is broke. subscribers only, or with an author-
cause they are also readers: it simply Funding agencies are unlikely to charge, in which case it is available for
transfers charges from subscriptions cover these extra costs. If they do, it free. This is the best of both worlds:
to authorship. In fact, the proponents will be within the same overall bud- charging both readers and authors!
of this model explicitly encourage re- get, meaning less money for manpow- So while Open Access was designed
searchers to include author charges er, equipment, and travel. Also, how to provide an alternative to commer-
in their budgets when they apply for would funding agencies pay for papers cial publishing, it may well be con-
grants. The NIH explicitly supports published after the end of a grant, as sumed by it. Now, authors, not just
is often the case with journal publica- readers, are the publishers’ market.
b As an example, on Sept. 11, 2001, ACM was tions? How would researchers decide
prepared to switch to a backup database in between two papers when budgets are
another location in the country to provide un- e Elsevier has admitted to creating fake journals
interrupted access to the Digital Library.
tight? More than ever, the rich will be sponsored by pharmaceutical labs (see, for
c See http://www.arl.org/sparc/publisher/in- example, http://www.the-scientist.com/blog/
comemodels/ for a fairly complete list. d See http://www.plos.org/journals/pubfees.html display/55679/)
For example, I can easily imagine these copyright is seen by some as a serious
publishers soon offering universities hindrance to open access, as it deprives
special deals with reduced author fees Open Access is a authors from distribution rights. While
in exchange for exclusive rights to the valuable goal, but the copyright transfer offers authors pro-
publications of that university, jeopar- tection (such as against plagiarism)
dizing academic freedom. scientific community and services (such as authorization to
is overly naive about reprint), I believe switching to a licens-
The Role of Professional Societies ing model such as Creative Commons
Can we get out of this situation? Can the whole business of could be beneficial.
we escape both the escalating subscrip- scientific publishing. The added value provided by pub-
tion fees of commercial editors and the lishers is twofold: reputation (the value
dangerous author fees of prominent of the imprimatur), and archiving (the
Open Access publishers? It is impor- guarantee that the work will be avail-
tant to understand that the scientific able forever). These allow publishers
community is largely at fault: we sit on to provide services that self-publishing
the editorial boards of the very jour- few have turned to Open Access. and even institutional repositories
nals published at exorbitant prices by So, am I against Open Access? No. I cannot provide, such as the author
commercial publishers,f and we sub- think it is a noble goal, an achievable pages that were recently added to the
mit our best articles to these journals. goal. But this goal should not blind us ACM Digital Library. Little if any of this
The problem with the subscrip- to the point of making a bad system relies on the actual transfer of copy-
tion model is not the model but the even worse, of hurting research in the right. While publishers value the ex-
fees. Rob Kirby, of the UC Berkeley name of making its results freely avail- clusivity granted by copyright transfer,
Math Department, has compared able to everyone. users (authors and readers alike) value
the cost-per-page of various math- First, scientific publications can the services that make articles easier
ematics journals, computed as the be affordable. The pricing of the to find: indexing, cross-referencing,
subscription price divided by the ACM Digital Library is extremely low, searching, and so forth. A proper li-
number of pages published annual- even compared to other societies and censing model could foster novel
ly.g In 1997, they ranged from $0.07 nonprofit organizations. This is still services for scientific dissemination,
to $1.53. The cost per 10,000 char- not enough. The pricing model is ad- including by third parties, without
acters, which better accounts for equate for the academic and industry challenging the primary values and
differences among journal formats, audience but not for dissemination revenue streams of publishers, in par-
ranged from 30 cents to $3. Con- toward the public at large. As shown ticular non-profit ones.
sistently, the cheaper journals are by the success of online stores such
published by universities and societ- as iTunes, low-pricing can translate Conclusion
ies; the most expensive ones by com- into large volumes. Commercial pub- Open Access is a valuable goal, but the
mercial publishers. In 2003, Donald lishers charge non-subscribers up to scientific community is overly naive
Knuth, editor of Journal of Algorithms, $30 to download a single paper; ACM about the whole business of scientific
wrote a long letterh to his editorial charges $15. What if it were 99 cents? publishing. Societies and nonprofit
board explaining that the price per While I am not saying that scientific organizations need to continue to lead
page of the journal had more than publishing is a mass market like the way to improve the dissemination
doubled since it had been acquired music, I do believe this would dra- of research results, but the scientific
by Elsevier, while it had stayed stable matically reduce the barrier to non- community at large must support them
over the previous period, when it was subscribers, in particular the general against the business-centric views of
published by Academic Press. This public, without significantly affecting commercial publishers. Author fees are
led to a mass resignation of the board the revenues from subscriptions. not a solution. Worse, they jeopardize
and the rebirth of the journal as ACM Second, much of this debate has the ecological balance of the research
Transactions on Algorithms. Another focused on cost. But free access is, to incentive structure. Finally, nonprofit
well-known example is the Journal of paraphrase the Free Software Move- publishers should take advantage of
Machine Learning Research, which be- ment, as much about free beer as it is their unique position to experiment
came its own Open Access publisher about free speech. Many publishers, with sustainable evolutions of their
for similar reasons. A number of including ACM, allow their authors to publishing models.
journals have joined this trend,i but publish copies of their articles on their
personal Web page or on their institu-
Michel Beaudouin-Lafon (mbl@lri.fr) is a professor of
f I am an associate editor of an Elsevier-pub- tional repository.j But the transfer of computer science at Université Paris-Sud (France) and
lished journal. head of the Laboratory for Computer Science (LRI).
He is also a former member of the ACM Council and the
g See http://math.berkeley.edu/~kirby/journals. ACM Publications Board.
html j See section 2.5 of the ACM copyright policy,
h See http://www-cs-faculty.stanford.edu/~knuth/ http://www.acm.org/publications/policies/ The author thanks Wendy Mackay and Bernard Rous for
joalet.pdf copyright_policy, and the SHERPA/ROMEO comments on earlier versions of this column.
i For a list, see http://oad.simmons.edu/oadwi- list of publishers’ copyright and self-archiving
ki/Journal_declarations_of_independence policies, http://www.sherpa.ac.uk/romeo/ Copyright held by author.
Kode Vicious
Taking Your Network’s
Temperature
A prescription for capturing data to diagnose and debug a networking problem.
Dear KV,
I posted a question on a mailing list
recently about a networking problem
and was asked if I had a tcpdump. The
person who responded to my ques-
tion—and to the whole list as well—
seemed to think my lack of networking
knowledge was some kind of affront to
him. His response was pretty much a
personal attack: If I couldn’t be both-
ered to do the most basic types of de-
bugging on my own, then I shouldn’t
expect much help from the list. Aside
from the personal attack, what did he
mean by this?
Dumped
Dear Dumped,
It is always interesting to me that when
people study computer programming
or software engineering they are taught
to use the creative tools—editors to
create code, compilers to take that
code and turn it into an executable—
but are rarely, if ever, taught how to how to debug a program during their tcpdump and wireshark is that they’re
debug a program. Debuggers are pow- studies is small, the number who learn multi-platform, running on both Unix-
erful tools, and once you learn to use how to debug a networking problem is like operating systems and Windows.
one you become a far more productive minuscule. I actually don’t know any- In fact, writing a packet-capture pro-
programmer because, face it, putting one who was ever directly taught how gram is relatively easy, as long as the
PHOTOGRA PH FROM ISTO CKPH OTO.COM
printf()—or its immoral equiva- to debug a networking problem. operating system you’re working with
lent—throughout your code is a really Some people—the lucky ones—are gives you the ability to tap into the net-
annoying way to find bugs. In many eventually led to the program you men- working code or driver at a low enough
cases, especially those related to tim- tion, tcpdump, or its graphical equiva- level to sniff packets.
ing issues, adding print statements lent, wireshark, but I’ve never seen Those of us who spend our days
just leads to erroneous results. If the anyone try to teach people to use these banging our heads against networking
number of people who actually learn tools. One of the nice things about problems eventually learn how to use
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 35
viewpoints
these tools, sort of in the way that early Finally, do not record your data on a
humans learned to cook flesh. Let’s network file system. There is no better
just say that though the results may Using a packet- way to ruin a whole set of packet-cap-
have been edible, they were not win- capture tool is, ture files than by having them capture
ning any Michelin stars. themselves.
Using a packet-capture tool is, to to a networking So there you have it: a brief intro-
a networking person, somewhat like person, somewhat duction to capturing data so you can
using a thermometer is to a parent. It debug a networking problem. Perhaps
is likely that if you ever felt sick when like using a now you can get yelled at on a mailing
you were a child at least one of your thermometer is list for something more egregious than
parents would take your temperature. not taking your network’s temperature
If they took you to the doctor, the doc- to a parent. before calling the doctor.
tor would also take your temperature. KV
I once had my temperature taken for a
broken ankle—crazy, yes, but that doc-
Related articles
tor gave the best prescriptions, so I just
on queue.acm.org
smiled blithely and let him have his
fun. That aside, taking a child’s tem- Debugging in an Asynchronous World
cause of a rollover in a large counter;
Michael Donat
perature is the first thing on a parent’s you really want to start recording the http://queue.acm.org/detail.cfm?id=945134
checklist for the question “Is my child network traffic before the bug occurs,
Kode Vicious Bugs Out
sick?” What on earth does this have to not after, because it may be many hours Kode Vicious
do with capturing packets? until the condition comes up again. http://queue.acm.org/detail.cfm?id=1127862
By far the best tool for determining So, here are some very basic recom-
A Conversation with Steve Bourne, Eric
what is wrong with programs that use mendations on using a packet sniffer Allman, and Bryan Cantrill
a network, or even the network itself, is in debugging a network problem. First, http://queue.acm.org/detail.cfm?id=1413258
the tcpdump tool. Why is that? Surely get permission (yes, it really is KV giv-
in the now 40-plus years since pack- ing you this advice). People get cranky
ets were first transmitted across the if you record their network traffic, such Dedication
original ARPANET we have developed as instant messages, email, and bank- I would like to dedicate this column
some better tools. The fact is we have ing transactions, and then post it to a to my first editor, Mrs. B. Neville-Neil,
not. When something in the network mailing list. Just because some person who passed away after a sudden illness
breaks, you want to be able to see the in IT was dumb enough to give you root on December 9th, 2009; she was 65
messages at as many layers as possible. or admin rights on your desktop does years old.
The other key component in debug- not mean you should just record every- My mother took language, both writ-
ging network problems is understand- thing and send it off. ten and spoken, very seriously. The last
ing the timing of what happens, which Next, record only as much informa- thing I wanted to hear upon showing
a good packet-capture program also tion as you need to debug the problem. her an essay I was writing for school
records. Networks are perhaps the If you’re new at this you’ll probably was, “Bring me the red pen.” In those
most nondeterministic components have the program suck up every packet days I did not have a computer; all my
of any complex computing system. so you don’t miss anything, but that’s assignments were written longhand
Finding out who did what to whom problematic for two reasons: the first or on a typewriter and so the red pen
and when (another question parents is the previously mentioned privacy is- meant a total rewrite. She was a tough
often ask, usually after a fight among sue; and the second is that if you record editor, but it was impossible to question
siblings) is extremely important. too much data, finding the bug will be the quality of her work or the passion
All network protocols, and the pro- like finding a needle in a haystack—on- that she brought to the writing process.
grams that use them, have some sort ly you’ve never seen a haystack that big. All of the things Strunk and White have
of ordering that is important to their Recording an hour of Ethernet traffic taught others throughout the years my
functioning. Did a message go miss- on your LAN can capture a few hundred mother taught me, on her own, with the
ing? Did two or more messages arrive million packets. No matter how good a benefit of only a high school education
out of order at the destination? All of tool you have, it’s going to do a much and a voracious appetite for reading.
these questions can potentially be better job at finding a bug if you narrow It is, in large part, due to my moth-
answered by using a packet sniffer to down the search. er’s influence that I am a writer today.
record network traffic, but only if you If you do record a lot of data, don’t It is also due to her influence that I re-
use it! try to share it all as one huge chunk. view articles, books, and code on pa-
It’s also important to record the net- See how these points follow each oth- per, using a red pen. Her edits and her
work traffic as soon as you see the prob- er? Most packet-capture programs unswerving belief that I could always
lem. Because of their nondeterministic have options to say, “Once the cap- improve are, already, keenly missed.
nature, networks give rise to the worst ture file is full, close it and start a new —George Vernon Neville-Neil III
types of timing bugs. Perhaps the bug one.” Limiting files to one megabyte is
happens only every so many hours, be- a nice start. Copyright held by author.
Interview
An Interview with
Michael Rabin
Michael O. Rabin, co-recipient of the 1976 ACM A.M. Turing Award,
discusses his innovative algorithmic work with Dennis Shasha.
I
FIRST ENCOUNTERED Michael
Rabin in 1980 when I was a
first-year Ph.D. student at Har-
vard University. It was four years
after Rabin and Dana Scott
won the ACM A.M. Turing award for
their foundational work on determin-
istic and nondeterministic finite state
automata. By 1980, however, Rabin’s
interests were all about randomized
algorithms. His algorithms course was
a challenge to all of us. Sometimes he ART IN
presented a result he had worked out
only two weeks earlier. When I had dif- DEVELOPMENT
ficulty understanding, I would make
puzzles for myself. As a consequence,
when I published my first puzzle book
The Puzzling Adventures of Dr. Ecco, I
dedicated the book to Michael as one
of my three most influential teachers.
At Harvard, I enjoyed every encounter
with Michael—in seminars and at par-
ties. He was a great raconteur and a
great joker. In 1994, journalist Cathy finished high school, and what were statements about the real world of
Lazere and I embarked on the writ- you thinking about doing after high lines, circles, and distances impressed
ing of Out of Their Minds: The Lives and school? me so deeply that I decided I wanted to
Discoveries of 15 Great Computer Scien- Rabin: I’ve been intensely inter- study mathematics.
tists. The goal was to interview great ested in mathematics ever since I was My father sent me to the best high
living seminal thinkers of our field: 11 years old, when I was kicked out of school in Haifa, where I grew up, and
Knuth, Rabin, Dijkstra, among others. class and told to stand in the hall. I en- in 10th grade I had the good luck to
Each thinker was associated with an countered two ninth-graders who were encounter a real mathematician, El-
PHOTOGRA PH COURT ESY OF MICH AEL RA BIN
epithet: Michael’s was “the possibili- working on geometry problems and isha Netanyahu (the uncle of Benja-
ties of chance.” asked them what they were doing. They min Netanyahu) who was at the time a
—Dennis Shasha, said they had to prove such-and-such a high school teacher. Later he became
Courant Institute, New York University, statement, and then condescendingly a professor at the Haifa Institute of
said to me, “You think you can do it?” Technology. He conducted once a
Shasha: I’m going to try to get to a Even though I never studied geometry, week a so-called “mathematical cir-
mixture of personal and technical I was able to solve that problem. The cle,” where he taught a selected group
recollections, let’s start in Israel. You fact that you can by pure thought prove of students number theory, combina-
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 37
viewpoints
torics, and advanced algebra. Netan- al (recursive) unsolvability of group finite-state machine. The finite-state
yahu lent me advanced mathematics theoretical problems, thus combining machine had no output except for say-
books. Starting at age 15, I read Hardy my interests in algebra and comput- ing yes/no at the end.
and Wright’s book An Introduction to ability. Dana and I asked ourselves in what
the Theory of Numbers, the first volume In 1957, IBM decided to go into re- ways could we expand the finite-state
in German of Landau’s Zahlentheorie. search in a big way. They sent people machine model. One of our extensions
I studied a wonderful book by G.H. to recruit promising students from was to consider nondeterministic ma-
Hardy called Pure Mathematics, which top universities and top mathematics chines. We really did not have any deep
was mainly analyses, two volumes of departments. Dana Scott and I were philosophical reason for considering
Knopp’s Functions of a Complex Vari- invited to spend the summer at IBM nondeterminism, even though as we
able, A. Speiser’s book Gruppentheorie, Research. Watson Labs did not exist at now know nondeterminism is at the
and so on. that time, and research was located at center of the P = NP question, a prob-
I finished high school at age 16½ the Lamb Estate in Westchester Coun- lem of immense practical and theo-
because the war of independence ty. This had previously been an insane retical importance. For us, it was just
broke out in Israel, and everybody in asylum where, rumor had it, rich fami- one of the variants. We stipulated that
my class was drafted into the army. lies would forcibly confine trouble- the automaton when in state S and
I continued to study mathematics some members. upon input symbol sigma can go into
on my own while in the army. Then I At the Lamb Estate, Dana and I any one of a number of states S’, S”,…,
got in touch with Abraham Fraenkel, wrote the paper “Finite Automata and comprising a certain subset of the set
who was a professor of mathematics Their Decision Problems.” Automata of states. The nondeterministic finite-
in Jerusalem and whose book on set theory had started with a study by state machine accepts a string if there
theory I had studied. That was maybe Walter Pitts and Warren McCulloch is a possible computation, a possible
in September of 1949. Fraenkel met of what would now be called neural sequence of transitions, leading to an
and tested me on group theory, num- networks. They assumed that those accepting state. Then we proved that
ber theory, set theory, and decided neural networks essentially embod- finite-state nondeterministic autom-
that it would be quite worthwhile if I ied a finite number of states, and ata are exactly equal in power to de-
came to the university. He got in touch talked about what is recognizable by terministic automaton computations.
with army authorities, and I was dis- such finite state neural networks, but [On a practical level, this means that
charged from the army to go and study they didn’t have a complete charac- the wildcard searches of say grep, perl,
at the university. terization. Later, in 1956, S.C. Kleene or python can be expressed as nonde-
The system was that you went di- invented regular languages: sets of terministic finite state automata and
rectly to a master’s degree. I studied strings that are obtained from finite then can be translated into determin-
a lot of mathematics: set theory, alge- sets by certain simple operations. istic finite state automata.]
bra, functions of a complex variable, Kleene showed that finite neural nets The corresponding question wheth-
linear spaces, differential equations, compute or recognize exactly the reg- er nondeterministic polynomial time
probability as well as physics and ap- ular languages. Turing machine computations are
plied mathematics. I was mainly inter- We decided to completely abstract equal in power to deterministic poly-
ested in algebra. So in 1952 I wrote a away from neural nets and consider a nomial time Turing machine compu-
master’s thesis on the algebra of com- finite-state machine that gets symbol tations is the famous P = NP problem.
mutative rings, and solved an open inputs and undergoes state transi- Employing nondeterministic au-
problem due to Emmy Noether, giving tions. If upon being fed a string of tomata, we were able to re-prove
a necessary and sufficient condition symbols it passes from an initial state Kleene’s result that finite state ma-
on a commutative ring for having the to one of a number of accepting states, chines exactly accept regular lan-
property that every ideal is a finite in- then the string is accepted by the guages. The proof became very easy.
tersection of primary ideals. That was We also introduced and studied other
one of my first papers. It appeared in extensions of finite automata such as
the Comptes Rendus (the proceedings) I set myself the goal two-way automata, multi-tape and lin-
of the French Academy of Sciences. early bounded automata. The latter
of finding more and construct appeared in our research
Princeton Days and String more applications report but did not find its way into the
Automata Theory published paper.
I went to Princeton University to study of randomization in
with Alonzo Church. At the time, only mathematics and Origins of Complexity Theory
13 Ph.D. students were admitted every The next summer I again went to the
year to the Mathematics Department. computer science. Lamb Estate. At that time there was
I found out the committee that was a methodologically misled widely
considering me assigned somebody held view that computing, and what
to look at the master’s thesis paper, later became computer science, was a
and this is what led to my admission. sub-field of information theory in the
My Ph.D. thesis was on computation- Shannon sense. This was really ill-con-
ceived because Shannon was dealing Shasha: And with some kind of er-
with the information content of mes- ror bound?
sages. If you perform a lengthy calcu- The next significant Rabin: Yes, yes, that’s right. In
lation on a small input then the infor- application of other words, you get the answer, but
mation content in the Shannon sense depending upon how many times you
of the outcome is still small. You can my work on run the probabilistic automaton, you
take a 100-bit number and raise it to randomization was have a very small probability of error.
the power 100, so you get a 10,000-bit That paper eventually got published
number. But the information content to cryptography. in 1963 in Information and Control.
of those 10,000 bits is no larger than In 1975, I finished my tenure as
that of the original 100 bits. Rector (academic head) of the Hebrew
John McCarthy posed to me a puz- University of Jerusalem and came to
zle about spies, guards, and password. MIT as a visiting professor. Gary Mill-
Spies must present, upon returning er was there and had his polynomial
from enemy territory, some kind of task. If this phone is on the floor and time test for primality based on the
secret password to avoid being shot I have to raise it, there is a minimum extended Riemann hypothesis. [Given
by their own border guards. But the amount of work. I can do it by pulling an integer n, a test for primality deter-
guards cannot be trusted to keep a se- it up, by putting a small amount of ex- mines whether n is prime.] That test
cret. So, if you give them the password, plosive, blowing it up here, but there was deterministic, but it depended
the enemy may learn the password and is a certain inherent amount of work. on an unproven assumption. With the
safely send over his own spies. Here is This is what I was studying for compu- idea of using probability and allowing
a solution. You randomly create, say, a tations. the possibility of error, I took his test
100-digit number x and square it, and I think this paper, no less than and made it into what’s now called a
give the guards the middle 100 digits the Rabin/Scott paper, was a reason randomized algorithm, which today
of x2. John von Neumann had sug- for my Turing Award. The ACM an- is the most efficient test for primality.
gested the middle square function for nouncement of the Turing Award for I published first, but found out that
generating pseudo-random numbers. Dana and for me mentioned the work Robert Solovay and Volker Strassen
You give the number x to the spy. Upon on finite automata and other work we were somewhat ahead with a different
being challenged, the spy presents x. did and also suggested that I was the test. My test is about eight times faster
The guard computes x2 and compares first person to study what is now called than theirs and is what is now univer-
the middle square to the value he has. complexity of computations. sally being used. In the paper I also
Every password x is used only once. introduced the distinction between
The whole point is that presumably it Randomized Algorithms: what are now called Monte-Carlo and
is easy to calculate the middle square, A New Departure Las-Vegas algorithms.
but it is difficult, given the middle I went back to Jerusalem. I divided my In early 1976 I was invited by Joe
square, to find one of the numbers research between working on logic, Traub for a meeting at CMU and gave a
having that value as a middle square. mainly model theory, and working on talk presenting the primality test. After
So even if the guards divulge the mid- the foundations of what is now com- I gave that lecture, people were stand-
dle square, nobody else can figure out puter science. I was an associate pro- ing around me, and saying, “This is re-
the number the spy knows. fessor and the head of the Institute ally very beautiful, but the new idea of
But how do you even define that dif- of Mathematics at 29 years old and doing something with a probability of
ficulty of computing? And even more a full professor by 33, but that was error, however exponentially small, is
so, how do you prove it? I then set completely on the merit of my work in very specialized. This business of wit-
myself to study that problem. I wrote logic and in algebra. There was abso- nesses for compostiness you have in-
an article called “Degree of Difficulty lutely no appreciation of the work on troduced is only useful for the primal-
of Computing a Function and Hierar- the issues of computing. Mathemati- ity test. It will never really be a widely
chy of Recursive Sets.” In that article, cians did not recognize the emerging used method.” Only Joe Traub said,
I wasn’t able to solve the problem of new field. “No, no, this is revolutionary, and it’s
showing that the von Neumann func- In 1960, I was invited by E.F. Moore going to become very important.”
tion is difficult to invert. This is really to work at Bell Labs, where I intro-
a special case of the P = NP problem. duced the construct of probabilistic From Trick to
It hasn’t been settled to this day. But automata. These are automata that Fundamental Technique
I was able to show that for every com- employ coin tosses in order to de- From then on, I set myself the goal of
putable function there exists another cide which state transitions to take. I finding more and more applications
computable function that is more showed examples of regular languag- of randomization in mathematics and
difficult to compute than the first es that required a very large number computer science. For example, in
one, regardless of the algorithm or of states, but for which you get an ex- 1977 in my MIT class, I presented an
programming language one chooses. ponential reduction of the number of algorithm for efficiently expressing
It’s similar to the minimum energy states if you go over to probabilistic an integer as the sum of four squares.
required for performing a physical automata. Lagrange had proved in 1770 that ev-
one successor function—where you versary cannot store all his computed
are allowed to quantify over arbitrary bits. This work created quite a stir and
subsets of integers—is decidable. His Great teaching was widely discussed, even in the pop-
was the first result of that nature. and great science ular press.
Buchi posed an open problem: Nowadays however, the bounded
is the monadic second-order theory really flow together storage assumption may not be com-
decidable if you have two successor and are not mutually pelling because the capacity of stor-
functions. For example, one successor age has increased so dramatically.
function being 2x (double), and the contradictory So I posited a new Limited Access
other one being 2x+1. I don’t know if or exclusive of Model. Suppose each of 10,000 par-
he realized how powerful the monad- ticipants independently store physi-
ic theory of two successor functions each other. cally random pages. The sender and
would turn out to be. I realized that receiver use a common small ran-
this is an incredibly powerful theory. dom key to randomly select the same
If you find a decision procedure for 30 page server nodes and from each
that theory, then many other logical node download the same randomly
theories can be demonstrated to be selected page. Sender and receiver
decidable. logics like modal logics and the tem- now XOR those 30 pages to create a
I set myself to work on this prob- poral logics that are a tool for program one-time pad they employ to encrypt
lem. My formulation was a generaliza- verification, especially in the work of messages. Assume that an adversary
tion from infinite strings to infinite bi- Amir Pnueli, Moshe Vardi, Orna Kup- cannot listen to or subvert more than
nary trees. You consider a tree where ferman, and many others. say 2,000 of the 10,000 page server
you have a root, and the root has two nodes. Consequently, his probability
children, a child on the left and a right Keeping Secrets of having obtained any particular ran-
child, and each of these has again two The next significant application of dom page is no more than 1/5, and,
children, a left child and a right child. my work on randomization was to since the pages are XORed in groups
The tree branches out ad infinitum, cryptography. Ueli Mauer suggested a of 30, his probability of having all of
forming an infinite binary tree. Con- model of a cryptographic system that is those pages is 1/5 to the power of 30.
sider that tree with the two successor based on what he called the bounded If the adversary is missing even one
functions, left child, right child, and storage assumption. Namely, you have of those pages, then the one-time pad
study the logical theory of the tree with a very intense public source of ran- is completely random with respect to
these two functions and quantifica- dom bits that everybody can observe, him, and consequently, if used to en-
tion over arbitrary subsets of nodes of say beamed down from a satellite. crypt by XORing with the message, the
the tree. The sender and receiver have a short encrypted message is also completely
In 1966, I came as visitor to IBM common key that they establish say by random for that adversary.
research at Yorktown Heights, and meeting, and they use that key in order
one of my goals to find an appropriate to select the same random bits out of Privacy for Pirates and Bidders
theory of automata on infinite binary the public source of randomness. Out In the late 1990s, [Dennis Shasha]
trees and prove the decidability of the of those bits, they construct so-called came to me and suggested that we work
same problems that Dana Scott and I one-time pads. If you assume that the together on devising a system for pre-
had shown to be decidable for finite intensity of the random source is so venting piracy, to begin with, of soft-
automata on finite strings. I created large that no adversary can store more ware, but later on also music, videos,
the appropriate theory of automata than, let us say, two-thirds of its bits, and so on—any kind of digitized intel-
on these infinite trees and showed then the one-time pad is really com- lectual property. We started by rein-
that it was decidable. I consider this pletely random to the adversary and venting variants of existing methods,
to be the most difficult research I can be used for provably unbreakable such as the use of safe co-processors
have ever done. encryption. and other methods that were actually
A remarkable feature of that origi- Mauer initially proved the unbreak- current at the time and which, by the
nal proof is that even though we are ability result under the assumption way, have all either been defeated or
dealing with finite automata, and with that the adversary stores original bits impose excessive constraints on use.
trees that are infinite but countable, from the random source. However, We then invented a new solution. Our
the proof and all subsequent variants there remained an open question: design protects privacy of legitimate
employ transfinite induction up to the suppose your adversary could do some purchasers and even of pirates while
first uncountable ordinal. Thus the operations on the original bits and at the same time preventing piracy of
proof is a strange marriage between then store fewer bits than the num- protected digitized content. For ex-
the finite and countable with the un- ber of source bits. Jonatan Aumann, ample, an engineering firm wanting
countable. Yan Zong Ding, and I showed that to win a contest to build a bridge can
This theory led to decision algo- even if the adversary is computation- purchase software for bridge design
rithms for many logical theories. That ally unbounded, one can still obtain without identifying itself. Thus com-
included decidability of nonstandard unbreakable codes provided the ad- petitors cannot find out that the firm
is competing for the project. The pur- program computer. Next there was a
chaser of digital content obtains a tag great emphasis on the study of vari-
permitting use of the content. The tag Powerful algorithms ous mathematical machines. Finite
is not tied to a machine identifier so are enabling automata are models for sequential
that the tag and use of the content can circuits. Nondeterministic and deter-
be moved from machine to machine. tools for every ministic so-called pushdown autom-
Coupled with robust content-identify- computer innovation ata play a pivotal role in the syntactic
ing software, use of protected content compilation of programming languag-
absent a corresponding tag is stopped. and application. es. For about 20 years or so, there was a
The deployment of this robust solu- great emphasis in research on autom-
tion to the piracy problem requires ata, programming languages, and for-
the cooperation of system vendors. mal languages, also in connection of
More recently, I have become in- course with linguistics. There was also
terested in protecting the privacy and a considerable emphasis on efficient
secrecy of auctions. Working with Stu- mathematician and a great teacher. algorithms of various kinds. The book
art Shieber, David Parks, and Chris Shasha: Let’s talk a little bit about by Alfred Aho, John Hopcroft, and Jeff
Thorpe, we have a methodology that the relationship that you’ve men- Ullman, and Donald Knuth’ classical
employs cryptography to ensure hon- tioned to me often between teaching books are examples of this strong in-
est privacy-preserving auctions. Our and research, because you’ve won terest in algorithms. The study of al-
protocols enable an auctioneer to con- many awards for teaching as well as gorithms will always remain centrally
duct the auction in a way that is clearly for science. How do you think aca- important. Powerful algorithms are
honest, prevents various subversions demics should view their teaching re- enabling tools for every computer in-
of the auction process itself, and later sponsibilities? novation and application.
on, when the auction is completed Rabin: This is really a very important Then emphasis started to shift to-
and the auctioneer has determined question. There is this misconception ward issues of networking and com-
the winner or winners and how much that there is a conflict and maybe even munication. Even the people who
they pay and how much they get of a contradiction between great teach- created the Internet, email, and other
whatever is being auctioned in multi- ing and being able to do great science. forms of connectivity perhaps didn’t
item auctions, the auctioneer can I think this is completely incorrect, fully realize where all that was going
publish a privacy-preserving proof for and that wonderful teaching, such as to lead. This evolution, revolution, ex-
the correctness of the result. In the ini- Schiffer’s teaching, flows from a deep plosion, started to accelerate, and over
tial papers, we used the tool of homo- understanding of the subject matter. the past 10 years we went into a phase
morphic encryption. Later on, I had This is what enables the person also where the main use of computers is
an idea that I then eventually imple- to correctly select what to teach. Af- in the world of information creation,
mented with Chris Thorpe and Rocco ter all, the world of knowledge, even sharing, and dissemination. We have
Servedio of an entirely new approach in specialized subjects, is almost in- search engines, Wikipedia, Facebook,
to zero knowledge proofs, which is finite. So one great contribution is to blogs, and many other information re-
computationally very efficient, does select the topics, and the other great sources, available to everyone literally
not use heavy-handed and compu- contribution is to really understand at their fingertips.
tationally expensive encryption, and the essence, the main motifs, of each We are only at the beginning of this
achieves everything very efficiently by particular topic that the person pres- revolution. One can predict that there
use of just computationally efficient ents, and to show it to the class in a is going to be an all-encompassing
hash functions. way that the class gets these essential worldwide network of knowledge
ideas. Great teaching and great sci- where people are going to create,
Teachers, Teaching, and Research ence really flow together and are not share, and use information in ways
In the life of every creative scientist, mutually contradictory or exclusive of that never existed before, and which
you will find outstanding teachers each other. we can’t fully foresee now. These de-
that have influenced him or her and velopments are giving rise to a torrent
directly or indirectly played a role in The Future of research in information organiza-
their success. My first mentor was a Shasha: You have contributed to so tion and retrieval, in machine learn-
very eminent logician and set theo- many areas of computer science. Talk ing, in computerized language under-
rist, Abraham Halevi Fraenkel. I wrote about one or many, and where do you standing, in image understanding,
a master’s thesis under the direction think it is going? in cryptography security and privacy
of the wonderful algebraist Jacob Lev- Rabin: Computer science research protection, in multi-agent systems, to
itski. He was a student of maybe the has undergone a number of evolutions name just a few fields. Computer sci-
greatest woman mathematician ever, during my research career, and be- ence research will continue to be rich,
Emmy Noether, the creator of modern cause of the quick pace, one can even dynamic, exciting, and centrally im-
abstract algebra as we know it. In Je- say revolutions. To begin with, there portant for decades to come.
rusalem, I learned applied mathemat- was Alan Turing’s model of a comput-
ics from Menachem Schiffer, a great ing machine, leading to the stored- Copyright held by author.
/% !!3""%
."'$%%$"$ %-
Helping Members Meet Today’s Career Challenges
!!3""%$" 6$ !!3""%
$" 3""%)2
,$,!$12 1$$+(&(!+$%.1 %#
%(!%.;$13.4/&1 #$3. 1$,(4,
.14++(!1 1824!2"1(/3(.- ++1.%$22(.- + -#34#$-3$,!$12 +2.
' 5$'%%&" "!!""% %1.,
.1,.1$#$3 (+25(2(3
..*2
7
:(-21.3 3(-&".++$"3(.-.%
'33//# ",.1&!..*2 !.432$+"%, ".,/+$3$4- !1(#&$#!..*2.-3'$'.33$23
".,/43(-&3./("2'(25(134 ++(!1 18/432
'$-+(-$..*2.++$"3(.-(-"+4#$2'
(-%.1, 3(.- 38.41%(-&$13(/2$ 1"'!..*
%%&"
"!!""% %1., % 1(:..*2
, 1*.11$ #".5$13.".5$1.41!..*2'$+%
-+(-$%$ 341(-&+$ #(-&/4!+(2'$12(-"+4#(-&
++.62%.104("*1$31($5 + -#!..*, 1*2+$3
$(++8 % 1(/432 ".,/+$3$ -#!42(-$22
8.4$ 2(+81$341-3.2/$"(%("/+ "$2(- !..*
$1$%$1$-"$+(!1 181(&'3.-8.41#$2*3./5 (+ !+$
3.1.%$22(.- +$,!$12 % 1(6(++'$+/8.4
9$1.(-.-$7 "3+83'$(-%.1, 3(.-8.4-$$#1(&'3
6'$-8.4-$$#(3
#0 0"$
9990 0"$18"!
practice
D OI:10.1145/ 1646353.1646370
the salient part is really the way in
Article development led by
queue.acm.org
which software interacts with power-
consuming system resources.
Let’s begin by classifying software
Power-manageable hardware can help save into two familiar ecosystem roles:
energy, but what can software developers do resource managers (producers) and
resource requesters (consumers). We
to address the problem? will then examine how each can con-
tribute to (or undermine) overall sys-
BY ERIC SAXE tem efficiency.
Power-
The history of power management is
rooted in the small systems and mobile
space. By today’s standards, these sys-
tems were relatively simple, possessing
a small number of components, such
Efficient
as a single-core CPU and perhaps a disk
that could be spun down. Because these
systems had few resources, utilization
in practice was fairly binary in nature,
with the system’s resources either be-
Software
ing in use—or not. As such, the strategy
for power managing resources could
also be fairly simple, yet effective.
For example, a daemon might pe-
riodically monitor system utilization
and, after appearing sufficiently idle
for some time threshold, clock down
the CPU’s frequency and spin down
the disk. This could all be done in a way
T H E R ATE ATwhich power-management features that required little or no integration
with the subsystems otherwise respon-
have evolved is nothing short of amazing. Today sible for resource management (for
almost every size and class of computer system, from example, the scheduler, file system,
among others), because at zero utiliza-
the smallest sensors and handheld devices to the tion, not much resource management
“big iron” servers in data centers, offer a myriad of needed to be done.
features for reducing, metering, and capping power By comparison, the topology of mod-
ern systems is far more complex. As
consumption. Without these features, fan noise would the “free performance lunch” of ever-
dominate the office ambience and untethered laptops increasing CPU clock speeds has come
to an end, the multicore revolution is
would remain usable for only a few short hours (and upon us, and as a consequence, even
only then if one could handle the heat), while data- the smallest portable devices present
center power and cooling costs and capacity would multiple logical CPUs that need to be
managed. As these systems scale larger
become unmanageable. (presenting more power-manageable
As much as we might think of power-management resources), partial utilization becomes
more common where only part of the
features as being synonymous with hardware, system is busy while the rest is idle.
software’s role in the efficiency of the overall system Of course, CPUs present just one ex-
has become undeniable. Although the notion of ample of a power-manageable system
resource: portions of physical memory
“software power efficiency” may seem justifiably may (soon) be power manageable, with
strange (as software doesn’t directly consume power), the same being true for storage and
Figure 1. A hierarchy states) is an important vehicle for mak- interfaces to clients that are more de-
of resource managers. ing such tradeoffs that ideally should scriptive in nature. For example, rather
complement the power-management than providing a narrow interface for
Resource Resource
Consumer Manager Resource strategy for individual resources. precise specification of what should
The granularity with which resourc- happen and when:
Data Center
es can be power managed is another
Virtual Virtual
important spatial consideration. If int
Machine Machine multicore processors can be power schedule _ timer((void)*
Virtual/Physical Machine Mgr. managed only at the socket level, then what(), time _ t when);
there’s good motivation to consolidate
Virtual Machine Scheduler
system load on as few sockets as possi- a timer interface might instead spec-
Physical Physical Physical ble. Consolidation drives up utilization ify what needs to be done along with a
Machine Machine Machine across some resources, while quiesc- description of the constraints for when
ing others. This enables the quiesced it needs to happen:
resources to be power managed while
“directing” power (and performance) int
Physical Machine to the utilized portion of the system. schedule _ timer((void)*
OS OS Another factor that may play into what(), time _ t about _ when,
instance instance
individual resource selection and uti- time _ t deferrable _ by,
Hypervisor lization distribution decisions are the time _ t advancable _ by);
CPU Scheduler Physical Memory characteristics of the workload(s) us-
Management
ing the resources. This may dictate, for Analogous to consolidating load
Physical Physical Physical example, how aggressively a resource onto fewer sockets to improve spa-
CPU CPU CPU
manager can consolidate utilization tial resource quiescence, providing
across the system without negatively some temporal latitude allows the
impacting performance (as a result of timer subsystem to consolidate and
Operating System Instance
resource contention) or to what extent batch process expirations. So rather
Application Application changing a utilized resource’s power than waking up a CPU n times over a
Operating System Kernel state will impact the consumer’s per- given time interval to process n timers
formance. (incurring some overhead with each
Scheduler Virtual Memory Storage Volume
Subsystem Manager wakeup), the timer subsystem could
Temporal Considerations wake the CPU once and batch process
Virtual Virtual Virtual
CPU CPU CPU Some resource managers may also al- all the timers allowable per the (more
locate resources in time, as well as relaxed) constraints, thus reducing
(or rather than) space. For example, a CPU overhead time and increasing
timer subsystem might allow clients power-managed state residency (see
trade off performance for power effi- to schedule some processing at some Figure 2).
ciency (CPU frequency scaling is one point (or with some interval) in the fu-
example), while others might offer (for ture, or a task queue subsystem might Efficient Resource Consumption
idle resources) a trade-off of reduced provide a means for asynchronous Clearly, resource managers can con-
power consumption versus increased or deferred execution. The interfaces tribute much to the overall efficiency
recovery latency (for example, as with to such subsystems have tradition- of the system, but ultimately they are
the ACPI C-states). As such, the act of ally been very narrow and prescriptive, forced to work within the constraints
a resource manager selecting one re- leaving little room for temporal opti- and requests put forth by the system’s
source over another (based on power mization. One solution is to provide resource consumers. Where the con-
straints are excessive and resources are
Figure 2. Benefits of batch processing periodic timers. overallocated or not efficiently used,
the benefits of even the most sophisti-
cated power-management features can
be for naught while the efficiency of the
Time entire system stack is compromised.
No Timer Batching Well-designed, efficient software is
(Short Sleep Durations, Frequent Wake-ups)
a thing of beauty showing good pro-
portionality between utilization (and
useful work done) and the amount of
resources consumed. For utopian soft-
Time
ware, such proportionality would be
After Timer Batching perfect, demonstrating that when no
(Longer Sleep Durations, Fewer Wake-ups)
work is done, zero resources are used;
and as resource utilization scales high-
Resource Utilization
all. Even running very well-behaved
software at the minimum will, in prac-
tice, require some resource overhead.
By contrast, inefficient software
demonstrates poor proportionality be-
tween resource utilization and amount
of work done. Here are some common
examples:
! A process is waiting for something, Work Done
such as the satisfying of a condition,
and is using a timer to periodically
wake up to check if the condition has
Figure 4. “Idle” inefficiency.
been satisfied. No useful work is being
done as it waits, but each time it wakes
up to check, the CPU is forced to leave
an idle power-managed state. What’s
worse, the process has decided to wake
Resource Utilization
Inefficiency
over time its heap grows to consume
much of the system’s physical memory,
despite little to none of it actually being
Work Done
Observing Inefficiency in
the Software Ecosystem
Comprehensive analysis of software ef- Resource Utilization
ficiency requires the ability to observe
the proportionality of resource utili-
zation versus useful work performed. rises, yet throughput does not), there nique identify and avoid the point of
Of course, the metric for “work done” is an opportunity either to use fewer diminishing returns.
is inherently workload specific. Some resources to do the same work or per- Rather than using workload-specific
workloads (such as Web servers and haps to eliminate a bottleneck to facili- analysis, another fruitful technique is
databases) might be throughput based. tate doing more work using the same looking at systemwide resource utiliza-
For such workloads, one technique resources. tion behavior at what should be zero uti-
could be to plot throughput (for ex- For parallel computation workloads lization (system idle). By definition, the
ample, transactions per second) versus that use concurrency to speed up pro- system isn’t doing anything useful, so
{cpu|memory|bandwidth|storage} re- cessing, one could plot elapsed com- any software that is actively consuming
source consumption. Where a “knee” putation time, versus the resources CPU cycles is instantly suspect. Power-
in the curve exists (resource utilization consumed, and using a similar tech- TOP is an open source utility developed
Managing
Contention
for Shared
Resources
on Multicore
Processors
are designed to allow
MO D E R N M U LTIC O R E S Y S TE M S
clusters of cores to share various hardware structures,
such as LLCs (last-level caches; for example, L2 or
L3), memory controllers, and interconnects, as well
as prefetching hardware. We refer to these resource-
sharing clusters as memory domains because the
shared resources mostly have to do their performance relative to what they
with the memory hierarchy. Figure 1 could achieve running in a contention-
provides an illustration of a system free environment. Consider an ex-
with two memory domains and two ample demonstrating how contention
cores per domain. for shared resources can affect appli-
Threads running on cores in the cation performance. In this example,
same memory domain may compete four applications—Soplex, Sphinx,
for the shared resources, and this Gamess, and Namd, from the Standard
contention can significantly degrade Performance Evaluation Corporation
(SPEC) CPU 2006 benchmark suite6— ! Soplex and Sphinx ran in a mem- percentage of degradation from solo
run simultaneously on an Intel Quad- ory domain, while Gamess and Namd execution time (when the application
Core Xeon system similar to the one shared another memory domain. ran alone on the system), meaning that
depicted in Figure 1. ! Sphinx was paired with Gamess, the lower the numbers, the better the
As a test, we ran this group of appli- while Soplex shared a domain with performance.
cations several times, in three different Namd. There is a dramatic difference be-
schedules, each time with two different ! Sphinx was paired with Namd, tween the best and the worst schedules,
pairings sharing a memory domain. while Soplex ran in the same domain as shown in the figure. The workload as
The three pairing permutations af- with Gamess. a whole performed 20% better with the
forded each application an opportu- Figure 2 contrasts the best perfor- best schedule, while gains for individu-
nity to run with each of the other three mance of each application with its al applications Soplex and Sphinx were
applications within the same memory worst performance. The performance as great as 50%. This indicates a clear
domain: levels are indicated in terms of the incentive for assigning applications to
cores according to the best possible
Figure 1. A schematic view of a multicore system with two memory domains representing schedule. While a contention-oblivi-
the architecture of Intel Quad-Core Xeon processors.
ous scheduler might accidentally hap-
pen upon the best schedule, it could
just as well run the worst schedule. A
Core 0 Core 1 Core 0 Core 1
contention-aware schedule, on the oth-
er hand, would be better positioned to
LAST-LEVEL CACHE LAST-LEVEL CACHE
choose a schedule that performs well.
This article describes an investiga-
tion of a thread scheduler that would
FRONT-SIDE PRE-FETCH FRONT-SIDE PRE-FETCH mitigate resource contention on mul-
BUS HARDWARE BUS HARDWARE ticore processors. Although we began
this investigation using an analytical
modeling approach that would be dif-
ficult to implement online, we ulti-
mately arrived at a scheduling method
Figure 2. Percentage of performance degradation over a solo run achieved in
that can be easily implemented online
two different scheduling assignments: the best and the worst. The lower the bar,
the better the performance. with a modern operating system or
even prototyped at the user level. To
Best
Worst
share a complete understanding of the
70 problem, we describe both the offline
and online modeling approaches. The
60
article concludes with some actual per-
% Degradation over solo
Figure 3. Mcf (a) is an application with a rather poor temporal locality, hence the low reuse frequency and high miss frequency.
Povray (b) has excellent temporal locality. Milc (c) rarely reuses its data, therefore showing a very low reuse frequency and
a very high miss frequency.
benefit from running in the same do- a scheduler that avoids cache conten- dicates the miss frequency (how often
main. In that case, they may access the tion, however, we needed to find ways that application misses in the cache).
shared resources cooperatively; for ex- to predict contention. The reuse-frequency histogram shows
ample, prefetch the data for each other There are two schools of thought the locality of reused data. Each bar
into the cache. While the effects of co- regarding the modeling of cache con- represents a range of reuse distances—
operative sharing must be factored into tention. The first suggests that consid- these can be thought of as the number
a good thread-placement algorithm ering the LLC miss rate of the threads of time steps that have passed since the
for multicores, this subject has been is a good way to predict whether these reused data was last touched. An appli-
explored elsewhere.9 The focus here is threads are likely to compete for the cation with a very good temporal locali-
managing resource contention. cache (the miss rate under contention ty will have many high bars to the left of
is an equally good heuristic as the solo the histogram (Figure 3b), as it would
Understanding miss rate). A miss rate is the number reuse its data almost immediately. This
Resource Contention of times per instruction when a thread particular application also has negli-
To build a contention-aware scheduler, fails to find an item in the LLC and so gible miss frequency. An application
we must first understand how to model must fetch it from memory. The rea- with a poor temporal locality will have
contention for shared resources. Mod- soning is that if a thread issues lots of a flatter histogram and a rather high
eling allows us to predict whether a cache misses, it must have a large cache miss frequency (Figure 3a). Finally, an
particular group of threads is likely working set, since each miss results in application that hardly ever reuses its
to compete for shared resources and the allocation of a new cache line. This data will result in a histogram indicat-
to what extent. Most of the academic way of thinking also maintains that any ing negligible reuse frequency and a
work in this area has focused on mod- thread that has a large cache working very high miss frequency (Figure 3c).
eling contention for LLCs, as this was set must suffer from contention (since Memory-reuse profiles have been
believed to have the greatest effect on it values the space in the cache) while used in the past to effectively model
performance. This is where we started inflicting contention on others. the contention between threads that
our investigation as well. This proposal is contradicted by fol- share a cache.3 These models, the de-
Cache contention occurs when two lowers of the second school of thought, tails of which we omit from this article,
or more threads are assigned to run on who reason that if a thread hardly ever are based on the shape of memory-re-
the cores of the same memory domain reuses its cached data—as would be the use profiles. One such model, the SDC
(for example, Core 0 and Core 1 in Fig- case with a video-streaming application (stack distance competition) examines
ure 1). In this case, the threads share that touches the data only once—it will the reuse frequency of threads sharing
the LLC. A cache consists of cache lines not suffer from contention even if it the cache to determine which of the
that are allocated to hold the memory brings lots of data into the cache. That threads is likely to “win” more cache
of threads as the threads issue cache is because such a thread needs very lit- space; the winning thread is usually
requests. When a thread requests a line tle space to keep in cache the data that the one with the highest overall reuse
that is not in the cache—that is, when it it actively uses. This school of thought frequency. Still, the SDC model, along
issues a cache miss—a new cache line advocates that to model cache conten- with all the other models based on
must be allocated. The issue here is tion one must consider the memory- memory-reuse profiles, was deemed
that when a cache line must be allocat- reuse pattern of the thread. Followers too complex for our purposes. After
ed but the cache is full (which is to say of this approach therefore created sev- all, our goal was to use a model in an
whenever all the other cache lines are eral models for shared cache conten- operating-system scheduler, mean-
being used to hold other data), some tion based on memory-reuse patterns, ing it needed to be both efficient and
data must be evicted to free up a line and they have demonstrated that this lightweight. Furthermore, we were
for the new piece of data. The evicted approach predicts the extent of con- interested in finding methods for ap-
line might belong to a different thread tention quite accurately.3 On the other proximating the sort of information
from the one that issued the cache hand, only limited experimental data memory-reuse profiles typically afford
miss (modern CPUs do not assure any exists to support the plausibility of the using just the data that’s available at
fairness in that regard), so an aggres- other approach to modeling cache con- runtime, since memory-reuse profiles
sive thread might end up evicting data tention.5 Given the stronger evidence in themselves are very difficult to obtain
for some other thread and thus hurting favor of the memory-reuse approach, at runtime. Methods for obtaining
its performance. we built our prediction model based these profiles online require uncon-
Although several researchers have on that method. ventional hardware7 or rely on hard-
proposed hardware mechanisms for A memory-reuse pattern is captured ware performance counters available
mitigating LLC contention,3,7 to the by a memory-reuse profile, also known only on select systems.8
best of our knowledge these have not as the stack-distance2 or reuse-distance Our goal, therefore, was to capture
been implemented in any currently profile.1 Figure 3 shows examples of the essence of memory-reuse profiles
available systems. We therefore looked memory-reuse profiles belonging to ap- in a simple metric and then find a way
for a way to address contention in the plications in the SPEC CPU2006 suite. to approximate this metric using data
systems that people are running now The red bars on the left show the reuse that a thread scheduler can easily ob-
and ended up turning our attention to frequency (how often the data is re- tain online. To this end, we discovered
scheduling as a result. Before building used), and the blue bar on the right in- that memory-reuse profiles are highly
successful at modeling contention from the thread in question since the based on memory-reuse profiles, we
largely because they manage to capture high access rate shows that it allocates looked for a way to approximate it using
two important qualities related to con- new cache lines while retaining old just the data available online via stan-
tention: sensitivity and intensity. Sensi- ones. Details for the derivation of S and dard hardware performance counters.
tivity measures how much a thread suf- Z are described in another article.10 This led us to explore two performance
fers whenever it shares the cache with Using the metrics S and Z, we then metrics to approximate sensitivity and
other threads. Intensity, on the other created another metric called Pain, intensity: the cache-miss rate and the
hand, measures how much a thread where the Pain of thread A due to shar- cache-access rate. Intuitively these met-
hurts other threads whenever it shares ing a cache with thread B is the product rics correlate with the reuse frequency
a cache with them. Measuring sensitivi- of the sensitivity of A and the intensity and the intensity of the application.
ty and intensity appealed to us because of B, and vice versa. A combined Pain Our findings regarding which metric
together they capture the key informa- for the thread pair is the sum of the offers the best approximation are sur-
tion contained within memory-reuse Pain of A due to B and the Pain of B due prising, so to maintain some suspense,
profiles; we also had some ideas about to A, as shown here: we postpone their revelation until the
how they could be approximated us- section entitled “Evaluation of Model-
ing online performance data. Before Pain(A|B) = SA * ZB ing Techniques.”
learning how to approximate sensitiv- Pain(B|A) = SB * ZA
ity and intensity, however, we needed Pain(A,B) – Pain(A|B) + Pain(B|A) Using Contention
to confirm that these were indeed good Models in a Scheduler
bases for modeling cache contention Intuitively, Pain(A|B) approximates In evaluating the new models for cache
among threads. To accomplish that, the performance degradation of A contention, our goal was to determine
we formally derived the sensitivity and when A runs with B relative to running how effective the models would be for
intensity metrics based on data in the solo. It will not capture the absolute constructing contention-free thread
memory-reuse profiles. After confirm- degradation entirely accurately, but it schedules. We wanted the model to
ing that the metrics derived in this way is good for approximating relative deg- help us find the best schedule and
did indeed accurately model conten- radations. For example, given two po- avoid the worst one (recall Figure 2).
tion, we could then attempt to approxi- tential neighbors for A, the Pain metric Therefore, we evaluated the models on
mate them using just online data. can predict, which will cause a higher the merit of the schedules they man-
Accordingly, we derived sensitivity S performance degradation for A. This is aged to construct. With that in mind,
and intensity Z for an application using precisely the information a contention- we describe here how the scheduler
data from its memory-reuse profile. To aware scheduler would require. uses the Pain metric to find the best
compute S, we applied an aggregation The Pain metric shown here as- schedule.
function to the reuse-frequency histo- sumes that only two threads share a To simplify the explanation for this
gram. Intuitively, the higher the reuse cache. There is evidence, however, evaluation, we have a system with two
frequency, the greater an application showing this metric applies equally pairs of cores sharing the two caches
is likely to suffer from the loss of cache well when more than two threads (as illustrated in Figure 1), but as men-
space due to contention with another share the cache. In that case, in order tioned earlier, the model also works
application—signifying a higher sen- to compute the Pain for a particular well with more cores per cache. In this
sitivity. To compute Z, we simply used thread as a consequence of running case, however, we want to find the best
the cache-access rate, which can be in- with all of its neighbors concurrently, schedule for four threads. The sched-
ferred from the memory-reuse profile. the Pain owing to each neighbor must uler would construct all the possible
Intuitively, the higher the access rate, be averaged. permutations of threads on this sys-
the higher the degree of competition After developing the Pain metric tem, with each of the permutations be-
ing unique in terms of how the threads
Figure 4. Computing the pain for all possible schedules. The schedule with the lowest Pain are paired on each memory domain. If
is chosen as the estimated best schedule.
we have four threads—A, B, C, and D—
there will be three unique schedules:
Schedule {(A,B), (C,D)}: Pain = Average( Pain(A,B), Pain(C, D))
Schedule {(A,C), (B,D)}: Pain = Average( Pain(A,C), Pain(B, D))
(1) {(A,B), (C,D)}; (2) {(A,C), (B,D)}; and
Schedule {(A,D), (B,C)}: Pain = Average( Pain(A,D), Pain(B, C)) (3) {(A,D), (B,C)}. Notation (A,B) means
that threads A and B are co-scheduled
in the same memory domain. For each
Figure 5. The metric for comparing the actual best and the estimated best schedule. schedule, the scheduler estimates the
Pain for each pair: in schedule {(A,B),
Estimated Best Schedule {(A,B), (C,D)}:
(C,D)} the scheduler would estimate
DegradationEst = Average( Degrad(A|B), Degrad(B|A), Degrad(C|D), Degrad(D|C)) Pain(A,B) and Pain(C,D) using the
Actual Best Schedule {(A,C), (B,D)}: equations presented previously. Then
DegradationAct = Average( Degrad(A|C), Degrad(C|A), Degrad(B|D), Degrad(D|B))
it averages the Pain values of the pairs
Degradation over actual best = (DegradationEst
DegradationAct
– 1) u 100% to estimate the Pain for the schedule
as a whole. The schedule with the low-
est Pain is deemed to be the estimated
best schedule. Figure 4 is a summary of good the Pain metric is in finding good
this procedure. scheduling assignments.
The estimated best schedule can Having the actual degradations en-
be obtained either by using the Pain abled us to construct the actual best
metric constructed via actual memory-
reuse profiles or by approximating the In evaluating the schedule using the method shown in
Figure 5. The only difference was that,
Pain metric using online data.
Once the best schedule has been es-
new models for instead of using the model to compute
Pain(A,B), we used the actual perfor-
timated, we must compare the perfor- cache contention, mance degradation that we had mea-
mance of the workload in the estimat-
ed best schedule with the performance
our goal was to sured on a real system (with Pain being
equal to the sum of degradation of A
achieved in the actual best schedule. determine how running with B relative to running solo
The most direct way of doing this is to
run the estimated best schedule on real
effective the and the degradation of B running with
A relative to running solo).
hardware and compare its performance models would be Once we knew the actual best sched-
with that of the actual best schedule,
which can be obtained by running all for constructing ule, we needed a way to compare it with
the estimated best schedule. The per-
schedules on real hardware and then
choosing the best one. Although this
contention-free formance metric was the average deg-
is the most direct approach (which thread schedules. radation relative to solo execution for
all benchmarks. For example, suppose
we used for some experiments in the the estimated best schedule was {(A,B),
study), it limited the number of work- (C,D)}, while the actual best schedule
loads we could test because running all was {(A,C), (B,D)}. We computed the
possible schedules for a large number average degradation for each sched-
of workloads is time consuming. ule to find the difference between the
To evaluate a large number of work- degradation in the estimated best ver-
loads in a short amount of time, we sus the degradation in the actual one,
invented a semi-analytical evaluation as indicated in Figure 5. The notation
methodology that relies partially on Degrad(A|B) refers to the measured
data obtained from tests on a real sys- performance degradation of A when
tem and otherwise applies analytical running alongside B, relative to A run-
techniques. Using this approach, we ning solo.
selected 10 benchmark applications This illustrates how to construct es-
from the SPEC CPU2006 suite to use in timated best and actual best schedules
the evaluation. They were chosen using for any four-application workload on a
the minimum spanning-tree-cluster- system with two memory domains so
ing method to ensure the applications long as actual pair-wise degradations
represented a variety of memory-access for any pair of applications have been
patterns. obtained on the experimental system.
We then ran all possible pairings of Using the same methodology, we can
these applications on the experimental evaluate this same model on systems
platform, a Quad-Core Intel Xeon sys- with a larger number of memory do-
tem, where each Quad-Core processor mains. In that case, the number of pos-
looked like the system depicted in Fig- sible schedules grows, but everything
ure 1. In addition to running each pos- else in the methodology remains the
sible pair of benchmark applications same. In using this methodology, we
on the same memory domain, we ran assumed that the degradation for an
each benchmark alone on the system. application pair (A,B) would be the
This gave us the measure for the actual same whether it were obtained on a
degradation in performance for each system where only A and B were run-
benchmark as a consequence of shar- ning or on a system with other threads,
ing a cache with another benchmark, such as (C,D) running alongside (A,B)
as opposed to running solo. Recall that on another domain. This is not an en-
degradation relative to performance in tirely accurate assumption since, with
the solo mode is precisely the quantity additional applications running, there
approximated by the Pain metric. So by will be a higher contention for the
comparing the scheduling assignment front-side bus. Although there will be
constructed based on the actual deg- some error in estimating schedule-av-
radation to that constructed based on erage degradations under this method,
the Pain metric, we can evaluate how the error is not great enough to affect
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 53
practice
Figure 6. The percentage by which performance of schedules estimated to be the evaluation results significantly.
best according to various modeling techniques varies from the actual best schedules. Certainly, the error is not large enough
Low bars are good. to lead to a choice of the “wrong” best
Pain SDC schedule.
Approx-Pain Random
8
Evaluation of Modeling Techniques
7 Here, we present the results obtained
% Worse Than Actual Best
80%
the actual best ought to be small, so
70%
in considering Figure 6, remember
60% that low bars are good. The results for
50% four different systems—with four, six,
40% eight, and 10 cores—are indicated.
30% In all cases there were two cores per
20%
memory domain. (Actual results from
a system with a larger number of cores
10%
per memory domain are shown later.)
0%
Soplex Gcc Lbm Mcf Sphinx Milc
Each bar represents the average for all
the benchmark pairings that could be
constructed out of our 10 representa-
tive benchmarks on a system with a setup of these experiments is described That is, they should not be co-sched-
given number of cores, such that there in another study.10 We arrived at the fol- uled in the same memory domain. Al-
is exactly one benchmark per core. On lowing findings. though some researchers have already
four- and six-core systems, there were First, it turns out that contention for suggested this approach, it is not well
210 such combinations, whereas an the shared cache—the phenomenon by understood why using the miss rate
eight-core system had 45 combina- which competing threads end up evict- as a proxy for contention ought to be
tions, and a 10-core system had only ing each others’ cache lines from the effective, particularly in that it contra-
one combination. For each combina- cache—is not the main cause of per- dicts the theory behind the popular
tion, we predicted the best schedule. formance degradation experienced by memory-reuse model. Our findings
The average performance degradation competing applications on multicore should help put an end to this contro-
from the actual best for each of these systems. Contention for other shared versy.
estimated best schedules is reported in resources, such as the front-side bus, Based on this new knowledge, we
each bar in the figure. prefetching resources, and the memo- have built a prototype of a contention-
The first thing we learned from the ry controller are the dominant causes aware scheduler that measures the
metric in Figure 5 was that the Pain for performance degradation (see Fig- miss rates of online threads and de-
model is effective for helping the sched- ure 7). That is why the older memory- cides how to place threads on cores
uler find the best thread assignment. It reuse model, designed to model cache based on that information. Here, we
produces results that are within 1% of contention only, was not effective in present some experimental data show-
the actual best schedule. (The effect on our experimental environment. The ing the potential impact of this conten-
the actual execution time is explored authors of that model evaluated it on tion-aware scheduler.
later). We also found that choosing a simulator that did not model conten-
a random schedule produces signifi- tion for resources other than shared Implications
cantly worse performance, especially cache, and it turns out that, when ap- Based on our understanding of conten-
as the number of cores grows. This is plied to a real system where other types tion on multicore processors, we have
significant in that a growing number of contention were present, the model built a prototype of a contention-aware
of cores is the expected trend for future did not prove effective. scheduler for multicore systems called
multicore systems. On the other hand, cache-miss rate Distributed Intensity Online (DIO).
Figure 6 also indicates that the Pain turned out to be an excellent predic- The DIO scheduler distributes inten-
approximated by way of an online tor for contention for the memory sive applications across memory do-
metric works very well, coming within controller, prefetching hardware, and mains (and by intensive we mean those
just 3% of the actual best schedule. At front-side bus. Each application in our with high LLC miss rates) after measur-
the same time, the SDC, a well-proven model was co-scheduled with the Milc ing online the applications’ miss rates.
model from an earlier study, turns out application to generate contention. Another prototype scheduler, called
to be less accurate. These results— Given limitations of existing hardware Power Distributed Intensity (Power
both the effectiveness of the approxi- counters, it was difficult to separate DI), is intended for scheduling applica-
mated Pain metric and the disappoint- the effects of contention for prefetch- tions in the workload across multiple
ing performance of the older SDC ing hardware itself and the effects of machines in a data center. One of its
model—were quite unexpected. Who additional contention for memory goals is to save power by determining
could have imagined that the best way controller and front-side bus caused by how to employ as few systems as pos-
to approximate the Pain metric would prefetching. Therefore, the impact of sible without hurting performance.
be to use the LLC miss rate? In other prefetching shows the combined effect The following are performance results
words, the LLC miss rate of a thread is of these two factors. of these two schedulers.
the best predictor of both how much An application issuing many cache Distributed Intensity Online. Dif-
the thread will suffer from contention misses will occupy the memory con- ferent workloads offer different op-
(its sensitivity) and how much it will troller and the front-side bus, so it will portunities to achieve performance
hurt others (its intensity). As explained not only hurt other applications that improvements through the use of a con-
at the beginning of this article, while use that hardware, but also end up suf- tention-aware scheduling policy. For
there was limited evidence indicating fering itself if this hardware is usurped example, a workload consisting of non-
that the miss rate predicts contention, by others. An application aggressively memory-intensive applications (those
it ran counter to the memory-reuse- using prefetching hardware will also with low cache miss rates) will not expe-
based approach, which was supported typically have a high LLC miss rate, be- rience any performance improvement
by a much larger body of evidence. cause prefetch requests for data that is since there is no contention to alleviate
Our investigation of this paradox not in the cache are counted as cache in the first place. Therefore, for our ex-
led us to examine the causes of con- misses. Therefore, a high miss rate is periments we constructed eight-appli-
tention on multicore systems. We per- also an indicator of the heavy use of cation workloads containing from two
formed several experiments that aimed prefetching hardware. to six memory-intensive applications.
to isolate and quantify the degree of In summary, our investigation of We picked eight workloads in total, all
contention for various types of shared contention-aware scheduling algo- consisting of SPEC CPU2006 applica-
resources: cache, memory controller, rithms has taught us that high-miss- tions, and then executed them under
bus, prefetching hardware. The precise rate applications must be kept apart. the DIO and the default Linux sched-
uler on an AMD Opteron system fea- way to ensure QoS (quality of service) numbers are shown in terms of the per-
turing eight cores—four per memory for critical applications since DIO es- centage of improvement or the worst-
domain. The results are shown in Fig- sentially provides a means to make sure case behavior achieved under DIO
ure 8. The performance improvement the worst scheduling assignment is relative to that encountered with the
relative to default has been computed never selected, while the default sched- default Linux scheduler, so higher bars
as the average improvement for all ap- uler may occasionally suffer as a con- in this case are better. We can see that
plications in the workload (since not sequence of a bad thread placement. some applications are as much as 60%
all applications are memory intensive, Figure 9 shows for each of the applica- to 80% better off with their worst-case
some do not improve). We can see that tions as part of the eight test workloads DIO execution times, and in no case
DIO renders workload-average perfor- its worst-case performance under DIO did DIO do significantly worse than the
mance improvements of up to 11%. relative to its worst-case performance default scheduler.
Another potential use of DIO is as a under the default Linux scheduler. The Power Distributed Intensity. One of
the most effective ways to conserve CPU
Figure 9. Performance of eight workloads under DIO relative to the default Linux scheduler. power consumption is to turn off un-
used cores or entire memory domains
12 in an active system. Similarly, if the
% Improvement over Default
10
workload is running on multiple ma-
chines—for example, in a data center—
8
power savings can be accomplished by
6
clustering the workload on as few serv-
4
ers as possible while powering down
2 the rest. This seemingly simple solu-
0 tion is a double-edged sword, however,
WL1 WL2 WL3 WL4 WL5 WL6 WL7 WL8 because clustering the applications on
Workloads just a few systems may cause them to
compete for shared system resources
and thus suffer performance loss. As
a result, more time will be needed to
Figure 10. Worst-case performance for each of the applications included as part
of the eight test workloads.
complete the workload, meaning that
more energy will be consumed. In an
90
attempt to save power it is also neces-
% Improvement over Default
SOPLEX
MCF
GAMESS
GOBMK
MCF
LIBQ
POVRAY
GAMESS
MCF
OMNETPP
H264REF
NAMD
MILC
LIBQ
POVRAY
PERLB
SPHINX
GCC
NAMD
GAMESS
LBM
MILC
SPHINX
GOBMK
LBM
MILC
MCF
NAMD
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 57
practice
DOI:10.1145/ 1646353.1646372
Software
Model
Checking
Takes Off
ALTHOUGH FORMAL METHODS have been used in the of models they provide a “push-but-
development of safety- and security-critical systems ton” means of determining if a model
for years, they have not achieved widespread industrial meets its requirements. Since these
tools examine all possible combina-
use in software or systems engineering. However, tions of inputs and state, they are
two important trends are making the industrial use much more likely to find design errors
than testing.
of formal methods practical. The first is the growing Here, we describe a translator
acceptance of model-based development for the framework developed by Rockwell Col-
design of embedded systems. Tools such as MATLAB lins and the University of Minnesota
that allows us to automatically trans-
Simulink6 and Esterel Technologies SCADE Suite2 are late from some of the most popular
achieving widespread use in the design of avionics and commercial modeling languages to a
variety of model checkers and theorem
automotive systems. The graphical models produced provers. We describe three case studies
by these tools provide a formal, or nearly formal, in which these tools were used on in-
specification that is often amenable to formal analysis. dustrial systems that demonstrate that
formal verification can be used effec-
The second is the growing power of formal verification tively on real systems when properly
tools, particularly model checkers. For many classes supported by automated tools.
Model-Based Development next system state and its outputs as a tion equivalent to exhaustive testing of
Model-based development (MBD) single atomic step, and communicate the model. If a property is not true, the
refers to the use of domain-specific, between components using dataflow model checker produces a counterex-
graphical modeling languages that signals. This differs from the more ample showing how the property can
can be executed and analyzed before general class of modeling languages be falsified.
the actual system is built. The use of that include support for asynchro- There are many types of mod-
such modeling languages allows the nous execution of components and el checkers, each with their own
developers to create a model of the sys- communication using message pass- strengths and weaknesses. Explicit
tem, execute it on their desktops, ana- ing. MBD has become very popular in state model checkers such as SPIN4
lyze it with automated tools, and use the avionics and automotive industries construct and store a representation of
it to automatically generate code and and we have found synchronous data- each state visited. Implicit state (sym-
test cases. flow models to be especially well suited bolic) model checkers use logical rep-
PHOTOGRA PH: “F LUGH A FEN” BY H O-YEOL RYU
Throughout this article we use MBD for automated verification using model resentations of sets of states (such as
to refer specifically to software devel- checking. Binary Decision Diagrams) to describe
oped using synchronous dataflow lan- Model checkers are formal verifi- regions of the model state space that
guages such as those found in MATLAB cation tools that evaluate a model to satisfy the properties being evaluated.
Simulink and Esterel Technologies determine if it satisfies a given set of Such compact representations gener-
SCADE Suite. Synchronous modeling properties.1 A model checker will con- ally allow symbolic model checkers to
languages latch their inputs at the start sider every possible combination of handle a much larger state space than
of a computation step, compute the inputs and state, making the verifica- explicit state model checkers. We have
every possible
models containing real numbers and lators in a matter of days. The number
unbounded arrays. These checkers of transformation passes depends on
use a form of induction over the state
transition relation to automatically
combination of the similarity of the source and target
languages and on the number of opti-
prove that a property holds over all inputs and state, mizations to be made. Our translators
executable paths in a model. While
these tools can handle a larger class of
making the range in size from a dozen to over 60
passes.
models, the properties to be checked verification The translators produce highly op-
must be written to support inductive
proof. equivalent to timized specifications appropriate for
the target language. For example, when
exhaustive testing translating to NuSMV, the translator
The Translator Framework
As part of NASA’s Aviation Safety Pro- of the model. eliminates as much redundant inter-
nal state as possible, making it very ef-
gram (AvSP), Rockwell Collins and the
University of Minnesota developed
If a property is not ficient for BDD-based model checking.
When translating to the PVS theorem
a product family of translators that true, the model prover, the specification is optimized
bridge the gaps between some of the
most popular commercial modeling
checker produces for readability and to support the de-
velopment of proofs in PVS. When gen-
languages and several model checkers a counterexample erating executable C or Ada code, the
and theorem provers.8 An overview of
this framework is shown in Figure 1.
showing how code is optimized for execution speed
on the target processor. These optimi-
These translators work primar- the property can zations can have a dramatic effect on
ily with the Lustre formal specification
language,3 but this is hidden from the be falsified. the target analysis tools. For example,
optimization passes incorporated into
users. The starting point for transla- the NuSMV translator reduced the
tion is a design model in MATLAB Sim- time required for NuSMV to check one
ulink/Stateflow or Esterel Technolo- model from over 29 hours to less than
gies SCADE Suite/Safe State Machines. a second.
SCADE Suite produces Lustre models However, some optimizations are
directly. Simulink or Stateflow models better incorporated into the verifica-
can be imported using SCADE Suite or tion tools rather than the translator.
the Reactis10 tool and a translator de- For example, predicate abstraction1 is
veloped by Rockwell Collins. To ensure a well-known technique for reducing
each Simulink or Stateflow construct the size of the reachable state space,
has a well-defined semantics, the trans- but automating this during translation
lator restricts the models that it will would require a tight interaction be-
accept to those that can be translated tween our translator and the analysis
unambiguously into Lustre. tool to iteratively refine the predicates
Once in Lustre, the specification
is loaded into an abstract syntax tree Counterexample.
(AST) and a number of transformation
passes are applied to it. Each transfor- Step 1 2 3
mation pass produces a new Lustre AST Inputs
that is syntactically closer to the target Start 0 1 0
specification language and preserves Clear 0 0 0
the semantics of the original Lustre Door Closed 0 1 0
specification. This allows all Lustre Steps to Cook 0 1 1
type checking and analysis tools to be Outputs
used as debugging aids during the de- Mode Setup Cooking Cooking
velopment of the translator. When the Steps
AST is sufficiently close to the target Remaining 0 1 0
language, a pretty printer is used to
output the target specification.
production models that we have ex- routed to the correct display panel. In Ultimately, 563 properties about
amined, very few counterexamples are normal operation, the WM determines the WM were developed and checked,
longer than a few steps. which applications are being displayed and 98 errors were found and correct-
in response to the pilot selections. ed in early versions of the WM model.
Case Studies However, in the case of a component This verification was done early in the
To be of any real value, model check- failure, the WM also decides which in- design process while the design was
ing must be able to handle much larg- formation is most critical and routes still changing. By the end of the proj-
er problems. Three case studies on the this information from one of the re- ect, the WM developers were check-
application of our tools to industrial dundant sources to the most appropri- ing the properties after every design
examples are described here. A fourth ate display panel. The WM is essential change.
case study is discussed in Miller et al.7 to the safe flight of the aircraft. If the CerTA FCS Phase I. Our second case
ADGS-2100 Window Manager. One of WM contains logic errors, critical flight study was sponsored by the U.S. Air
the largest and most successful appli- information could be unavailable to Force Research Laboratory (AFRL) un-
cations of our tools was to the ADGS- the flight crew. der the Certification Technologies for
2100 Adaptive Display and Guidance While very complex, the WM is speci- Advanced Flight Critical Systems (Cer-
System Window Manager.13 In modern fied in Simulink using only Booleans TA FCS) program in order to compare
aircraft, pilots are provided aircraft and enumerated types, making it ideal the effectiveness of model checking
status primarily through computer- for verification using a BDD-based mod- and testing.12 In this study, we applied
ized display panels similar to those el checker such as NuSMV. The WM is our tools to the Operational Flight
shown in Figure 3. The ADGS-2100 is composed of five main components Program (OFP) of an unmanned aerial
a Rockwell Collins product that pro- that can be analyzed independently. vehicle developed by Lockheed Mar-
vides the heads-down and heads-up These five components contain a total tin Aerospace. The OFP is an adaptive
displays and display management of 16,117 primitive Simulink blocks flight control system that modifies its
software for next-generation commer- that are grouped into 4,295 instances behavior in response to flight condi-
cial aircraft. of Simulink subsystems. The reachable tions. Phase I of the project concen-
The Window Manager (WM) ensures state space of the five components rang- trated on applying our tools to the
that data from different applications is es from 9.8 × 109 to 1.5 × 1037 states. Redundancy Management (RM) log-
ic, which is based almost entirely on the translation framework and model
Boolean and enumerated types. checking tools were used to verify
The RM logic was broken down important properties of the Effector
into three components that could be Blender (EB) logic of an OFP for a UAV
analyzed individually. While relatively
small (they contained a total of 169 Running a set of similar to that verified in Phase I.
The EB is a central component of
primitive Simulink blocks organized
into 23 subsystems, with reachable
properties after the OFP that generates the actuator
commands for the aircraft’s six control
state spaces ranging from 2.1 × 104 each model revision surfaces. It is a large, complex model
to 6.0 × 1013 states), the RM logic was
replicated in the OFP once for each of
is a quick and that repeatedly manipulates a 3 × 6
matrix of floating point numbers. It in-
the 10 control surfaces on the aircraft, easy way to see puts 32 floating point inputs and a 3 ×
making it a significant portion of the
OFP logic.
if anything has 6 matrix of floating point numbers and
outputs a 1 × 6 matrix of floating point
To compare the effectiveness of been broken. We numbers. It contains over 2,000 basic
model checking and testing at discov-
ering errors, this project had two inde- encourage our Simulink blocks organized into 166
Simulink subsystems, many of which
pendent verification teams, one that developers are Stateflow models.
used testing and one that used model
checking. The formal verification team to “check your Because of its extensive use of float-
ing point numbers and large state
developed a total of 62 properties from
the OFP requirements and checked
models early and space, the EB cannot be verified using
a BDD-based model checker such as
these properties with the NuSMV mod- check them often.” NuSMV. Instead, the EB was analyzed
el checker, uncovering 12 errors in the using the Prover SMT-solver from
RM logic. Of these 12 errors, four were Prover Technologies. Even with the ad-
classified by Lockheed Martin as sever- ditional capabilities of Prover, several
ity 3 (only severity 1 and 2 can affect new issues had to be addressed, the
the safety of flight), two were classified hardest being dealing with floating
as severity 4, two resulted in require- point numbers.
ments changes, one was redundant, While Prover has powerful decision
and three resulted from requirements procedures for linear arithmetic with
that had not yet been implemented in real numbers and bit-level decision
the release of the software. procedures for integers, it does not
In similar fashion, the testing team have decision procedures for floating
developed a series of tests from the point numbers. Translating the float-
same OFP requirements. Even though ing point numbers into real numbers
the testing team invested almost half was rejected since much of the arith-
as much time in testing as the for- metic in the EB is inherently nonlinear.
mal verification team spent in model Also, the use of real numbers would
checking, testing failed to find any er- mask floating point arithmetic errors
rors. The main reason for this was that such as overflow and underflow.
the demonstration was not a compre- Instead, the translator framework
hensive test program. While some of was extended to convert floating point
these errors could be found through numbers to fixed point numbers using
testing, the cost would be much high- a scaling factor provided by the OFP
er, both to find and fix the errors. In designers. The fixed point numbers
addition, the errors found through were then converted to integers using
model checking tended to be intermit- bit-shifting to preserve their magni-
tent, near simultaneous, or combina- tude. While this allowed the EB to be
tory sequences of failures that would verified using Prover’s bit-level integer
be very difficult to detect through test- decision procedures, the results were
ing. The conclusion of both teams was unsound due to the loss of precision.
that model checking was shown to However, if errors were found in the
be more cost effective than testing in verified model, their presence could
finding design errors. easily be confirmed in the original
CerTa FCS Phase II. The purpose of model. This allowed the verification
Phase II of the CerTA FCS project was to be used as a highly effective debug-
to investigate whether model checking ging step, even though it did not guar-
could be used to verify large, numeri- antee correctness.
cally intensive models. In this study, Determining what properties to
verify was also a difficult problem. The easy way to see if anything has been Acknowledgments
requirements for the EB are actually broken. We encourage our developers The authors wish to thank Ricky Butler,
specified for the combination of the to “check your models early and check Celeste Bellcastro, and Kelly Hayhurst
EB and the aircraft model, but check- them often.” The time spent model of the NASA Langley Research Center,
ing both the EB and the aircraft model checking is recovered several times Mats Heimdahl, Yunja Choi, Anjali
exceeded the capabilities of the Prover over by avoiding rework during unit Joshi, Ajitha Rajan, Sanjai Rayadur-
Plug-In model checker. After consulta- and integration testing. gam, and Jeff Thompson of the Univer-
tion with the OFP designers, the verifi- Since model checking examines ev- sity of Minnesota, Eric Danielson, John
cation team decided to verify whether ery possible combination of input and Innis, Ray Kamin, David Lempia, Alan
the six actuator commands would al- state, it is also far more effective at find- Tribble, Lucas Wagner, and Matt Wild-
ways be within dynamically computed ing design errors than testing, which ing of Rockwell Collins, Bruce Krogh of
upper and lower limits. Violation of can only check a small fraction of the CMU, Vince Crum, Wendy Chou, Ray
these properties would indicate a de- possible inputs and states. As demon- Bortner, and David Homan of the Air
sign error in the EB logic. strated by the CerTA FCS Phase I case Force Research Lab, and Greg Tallant
Even with these adjustments, the study, it can also be more cost effective and Walter Storm of Lockheed Martin
EB model was large enough that it had than testing. for their contributions and support.
to be decomposed into a hierarchy of This work was supported in part
components several levels deep. The Future Directions by the NASA Langley Research Center
leaf nodes of this hierarchy were then There are many directions for further under contract NCC-01001 of the Avia-
verified using Prover Plug-In and their research. As illustrated in the CerTA tion Safety Program (AvSP) and by the
composition was manually verified FCS Phase II study, numerically inten- Air Force Research Lab under contract
using manual proofs. This approach sive models still pose a challenge for FA8650-05-C-3564 of the Certifica-
also ensured that unsoundness could model checking. SMT-based model tion Technologies for Advanced Flight
not be introduced through circular checkers hold promise for verification Control Systems program (CerTA FCS)
reasoning since Simulink enforces of these systems, but the need to write [88ABW-2009-2730].
the absence of cyclic dependencies properties that can be verified through
between atomic subsystems. induction over the state transition rela- References
Ultimately, five errors in the EB de- tion make them more difficult for de- 1. Clarke, E., Grumberg, O. and Peled, D. Model Checking.
The MIT Press, Cambridge, MA, 2001.
sign logic were discovered and correct- velopers to use. 2. Esterel Technologies. SCADE Suite Product
Most industrial models used to Description; http://www.estereltechnolgies.com/
ed through model checking of these 3. Halbwachs, N., Caspi, P., Raymond, P and Pilaud, D.
properties. In addition, several poten- generate code make extensive use of The synchronous dataflow programming language
Lustre. In Proceedings of the IEEE 79, 9 (1991) 1305–
tial errors that were being masked by floating point numbers. Other models, 1320.
defensive design practices were found particularly those that deal with spatial 4. Holzmann, G. The SPIN Model Checker: Primer and
Reference Manual. Addison-Wesley Professional, 2003.
and corrected. relationships such as navigation, make 5. IRST. The NuSMV Model Checker; http://nusmv.irst.itc.it/
extensive use of trigonometric and other 6. The Mathworks Simulink Product Description; http://
www.mathworks.com/
Lessons from the Case Studies transcendental functions. A sound and 7. Miller, S., Anderson, E., Wagner, L., Whalen, M. and
The case studies described here dem- efficient way of checking systems using Heimdahl, M.P.E. Formal verification of flight critical
software. In Proceedings of the AIAA Guidance,
onstrate that model checking can be floating point arithmetic and transcen- Navigation and Control Conference and Exhibit (San
effectively used to find errors early in dental functions would be very helpful. Francisco, CA, Aug. 15–18, 2005).
8. Miller, S., Tribble, A., Whalen, M. and Heimdahl, M.P.E.
the development process for many It can also be difficult to determine Proving the Shalls. International Journal on Software
classes of models. In particular, even how many properties must be checked. Tools for Technology Transfer (Feb. 2006).
9. Prover Technology. Prover Plug-In Product
very complex models can be verified Our experience has been that checking Description; http://www.prover.com/
with BDD-based model checkers if even a few properties will find errors, 10. Reactive Systems, Inc.; http://www.reactive-systems.com/
11. SRI International. Symbolic Analysis Laboratory;
they consist primarily of Boolean and but that checking more properties http://sal.csl.sri.com/
will find more errors. Unlike testing 12. Whalen, M., Cofer, D., Miller, S. Krogh, B., and Storm,
enumerated types. Every industrial W. Integration of formal analysis into a model-based
system we have studied contains large for which many objective coverage cri- software development process. In Proceedings of the 12th
International Workshop on Formal Methods for Industrial
sections that either meet this con- teria have been developed, complete- Critical Systems (Berlin, Germany, July 1–2, 2007).
straint or can be made to meet it with ness criteria for properties do not seem 13. Whalen, M., Innis, J., Miller, S. and Wagner, L. ADGS-
2100 Adaptive Display & Guidance System Window
some alteration. to exist. Techniques for developing Manager Analysis. NASA Contractor Report CR-2006-
For this class of models, the tools or measuring the adequacy of a set of 213952 (Feb. 2006); http://shemesh.larc.nasa.gov/fm/
fm-collins-pubs.html/
are simple enough for developers to use properties are needed.
them routinely and without extensive As discussed in the CerTA FCS Phase
Steven P. Miller (spmiller@rockwellcollins.com) is a
training. In our experience, a single day II case study, the verification of very large princial software engineer in the Advanced Technology
of training and a low level of ongoing models may be achieved by using model Center at Rockwell Collins, Cedar Rapids, IA.
mentoring are usually sufficient. This checking on subsystems and more tra- Michael W. Whalen (whalen@cs.umn.edu) is the
program director at the University of Minnesota Software
also makes it practical to perform mod- ditional reasoning to compose the sub- Engineering Center, Minneapolis, MN.
el checking early in the development systems. Combining model checking Darren D. Cofer (ddcofer@rockwellcollins.com) is a
process while a model is still changing. and theorem proving in this way could principal systems engineer in the Advanced Technology
Center at Rockwell Collins, Cedar Rapids, IA.
Running a set of properties after be a very effective approach to the com-
each model revision is a quick and positional verification of large systems. © 2010 ACM 0001-0782/10/0200 $10.00
acmqueue ')"+&(("-
'(")'"+ -"#+"")'(&-
,$&('"+ -,$"'( '##1&'
!#&#"("(")"%)()&'')'
planetqueue #'-queue )(#&'+#
/)" #0!$#&("(#"("(&#!(
(
&&-"$&#*#!!"(&-videos
#+" # audioroundtable discussions
$ )')"%)acmqueue case studies
Visit today!
http://queue.acm.org/
contributed articles
D OI:10.1145/ 1646353.1646374
like all static bug finders, leveraged
How Coverity built a bug-finding tool, and the fact that programming rules often
map clearly to source code; thus static
a business, around the unlimited supply inspection can find many of their vio-
of bugs in software systems. lations. For example, to check the rule
“acquired locks must be released,” a
BY AL BESSEY, KEN BLOCK, BEN CHELF, ANDY CHOU, checker would look for relevant opera-
BRYAN FULTON, SETH HALLEM, CHARLES HENRI-GROS, tions (such as lock() and unlock())
ASYA KAMSKY, SCOTT MCPEAK, AND DAWSON ENGLER and inspect the code path after flagging
rule disobedience (such as lock() with
A Few Billion
no unlock() and double locking).
For those who keep track of such
things, checkers in the research system
typically traverse program paths (flow-
Lines of
sensitive) in a forward direction, going
across function calls (inter-procedural)
while keeping track of call-site-specific
information (context-sensitive) and
Code Later
toward the end of the effort had some
of the support needed to detect when a
path was infeasible (path-sensitive).
A glance through the literature re-
veals many ways to go about static bug
to Find Bugs in
good, and if not, not. The ideal: check
millions of lines of code with little
manual setup and find the maximum
For code, these features include of the tool builder, since the user and Such champions make sales as easily as
problematic idioms, the types of false the builder are the same person. De- their antithesis blocks them. However,
positives encountered, the distance ployment leads to severe fission; us- since their main requirements tend to
of a dialect from a language standard, ers often have little understanding of be technical (the tool must work) the
and the way the build works. For de- the tool and little interest in helping reader likely sees how to make them
velopers, variations appear in raw abil- develop it (for reasons ranging from happy, so we rarely discuss them here.
ity, knowledge, the amount they care simple skepticism to perverse reward Most of our lessons come from two
about bugs, false positives, and the incentives) and typically label any error different styles of use: the initial trial of
types of both. A given company won’t message they find confusing as false. A the tool and how the company uses the
deviate in all these features but, given tool that works well under these con- tool after buying it. The trial is a pre-sale
the number of features to choose from, straints looks very different from one demonstration that attempts to show
often includes at least one weird odd- tool builders design for themselves. that the tool works well on a potential
ity. Weird is not good. Tools want ex- However, for every user who lacks customer’s code. We generally ship a
pected. Expected you can tune a tool to the understanding or motivation one salesperson and an engineer to the cus-
handle; surprise interacts badly with might hope for, another is eager to un- tomer’s site. The engineer configures
tuning assumptions. derstand how it all works (or perhaps al- the tool and runs it over a given code
Second, in the lab the user’s values, ready does), willing to help even beyond base and presents results soon after. Ini-
knowledge, and incentives are those what one might consider reasonable. tially, the checking run would happen
in the morning, and the results meeting ever, the tool must routinely go from sion to conditions likely to be true in a
would follow in the afternoon; as code never seeing the system previously to larger setting.
size at trials grows it’s not uncommon getting good bugs in a few hours. Since
to split them across two (or more) days. we present results almost immediately Laws of Bug Finding
Sending people to a trial dramatical- after the checking run, the bugs must The fundamental law of bug finding
ly raises the incremental cost of each be good with few false positives; there is No Check = No Bug. If the tool can’t
sale. However, it gives the non-trivial is no time to cherry pick them. check a system, file, code path, or given
benefit of letting us educate customers Furthermore, the error messages property, then it won’t find bugs in it.
(so they do not label serious, true bugs must be clear enough that the sales en- Assuming a reasonable tool, the first
gineer (who didn’t build the checked order bound on bug counts is just how
system or the tool) can diagnose and much code can be shoved through the
explain them in real time in response tool. Ten times more code is 10 times
to “What about this one?” questions. more bugs.
The most common usage model for We imagined this law was as simple
the product has companies run it as a statement of fact as we needed. Un-
part of their nightly build. Thus, most fortunately, two seemingly vacuous cor-
require that checking runs complete in ollaries place harsh first-order bounds
12 hours, though those with larger code on bug counts:
bases (10+MLOC) grudgingly accept Law: You can’t check code you don’t
24 hours. A tool that cannot analyze see. It seems too trite to note that check-
at least 1,400 lines of code per minute ing code requires first finding it... until
makes it difficult to meet these targets. you try to do so consistently on many
During a checking run, error messages large code bases. Probably the most re-
are put in a database for subsequent liable way to check a system is to grab its
triaging, where users label them as code during the build process; the build
true errors or false positives. We spend system knows exactly which files are in-
significant effort designing the system cluded in the system and how to com-
so these labels are automatically reap- pile them. This seems like a simple task.
plied if the error message they refer to Unfortunately, it’s often difficult to un-
comes up on subsequent runs, despite derstand what an ad hoc, homegrown
code-dilating edits or analysis-chang- build system is doing well enough to ex-
ing bug-fixes to checkers. tract this information, a difficulty com-
As of this writing (December 2009), pounded by the near-universal absolute
approximately 700 customers have edict: “No, you can’t touch that.” By de-
licensed the Coverity Static Analysis fault, companies refuse to let an exter-
product, with somewhat more than a nal force modify anything; you cannot
billion lines of code among them. We modify their compiler path, their bro-
estimate that since its creation the tool ken makefiles (if they have any), or in any
has analyzed several billion lines of way write or reconfigure anything other
code, some more difficult than others. than your own temporary files. Which is
Caveats. Drawing lessons from a sin- fine, since if you need to modify it, you
gle data point has obvious problems. most likely won’t understand it.
Our product’s requirements roughly Further, for isolation, companies
form a “least common denominator” often insist on setting up a test ma-
set needed by any tool that uses non- chine for you to use. As a result, not
trivial analysis to check large amounts infrequently the build you are given to
of code across many organizations; the check does not work in the first place,
tool must find and parse the code, and which you would get blamed for if you
users must be able to understand er- had touched anything.
ror messages. Further, there are many Our approach in the initial months
ways to handle the problems we have of commercialization in 2002 was a
as false positives) and do real-time, ad encountered, and our way may not be low-tech, read-only replay of the build
“CODEPROF ILES” BY W. BRAD FORD PA LEY
hoc workarounds of weird customer the best one. We discuss our methods commands: run make, record its out-
system setups. more for specificity than as a claim of put in a file, and rewrite the invoca-
The trial structure is a harsh test for solution. tions to their compiler (such as gcc)
any tool, and there is little time. The Finally, while we have had success to instead call our checking tool, then
checked system is large (millions of as a static-tools company, these are rerun everything. Easy and simple.
lines of code, with 20–30MLOC a pos- small steps. We are tiny compared to This approach worked perfectly in the
sibility). The code and its build system mature technology companies. Here, lab and for a small number of our ear-
are both difficult to understand. How- too, we have tried to limit our discus- liest customers. We then had the fol-
not reject has been certified as “C code” old compilers. While the languages make two different things the same
no matter how blatantly illegal its con- these compilers accept have interest-
tents may be to a language scholar. Fed ing features, strong concordance with typedef char int;
this illegal not-C code, a tool’s C front- a modern language standard is not one
end will reject it. This problem is the of them. Age begets new problems. (“Useless type name in empty decla-
tool’s problem. Realistically, diagnosing a compiler’s ration.”)
Compounding it (and others) the divergences requires having a copy of And one where readability trumps
person responsible for running the the compiler. How do you purchase a the language spec
tool is often not the one punished if the license for a compiler 20 versions old?
checked code breaks. (This person also Or whose company has gone out of unsigned x = 0xdead _ beef;
often doesn’t understand the checked business? Not through normal chan- (“Invalid suffix ‘_beef’ on integer
code or how the tool works.) In particu- nels. We have literally resorted to buy- constant.”)
lar, since our tool often runs as part of ing copies off eBay. From the embedded space, creating
the nightly build, the build engineer This dynamic shows up in a softer a label that takes no space
managing this process is often in charge way with non-safety-critical systems; the void x;
of ensuring the tool runs correctly. larger the code base, the more the sales (“Storage size of ‘x’ is not known.”)
Many build engineers have a single con- force is rewarded for a sale, skewing sales Another embedded example that
crete metric of success: that all tools ter- toward such systems. Large code bases controls where the space comes from
minate with successful exit codes. They take a while to build and often get tied to
see Coverity’s tool as just another speed the compiler used when they were born, unsigned x @ “text”;
bump in the list of things they must get skewing the average age of the compilers
through. Guess how receptive they are whose languages we must accept. (“Stray ‘@’ in program.”)
to fixing code the “official” compiler ac- If divergence-induced parse errors are A more advanced case of a nonstan-
cepted but the tool rejected with a parse isolated events scattered here and there, dard construct is
error? This lack of interest generally ex- then they don’t matter. An unsound tool
tends to any aspect of the tool for which can skip them. Unfortunately, failure of- Int16 ErrSetJump(ErrJumpBuf buf)
they are responsible. ten isn’t modular. In a sad, too-common = { 0x4E40 + 15, 0xA085; }
Many (all?) compilers diverge from story line, some crucial, purportedly “C”
the standard. Compilers have bugs. Or header file contains a blatantly illegal It treats the hexadecimal values of
are very old. Written by people who mis- non-C construct. It gets included by all machine-code instructions as program
understand the specification (not just files. The no-longer-potential customer source.
for C++). Or have numerous extensions. is treated to a constant stream of parse The award for most widely used ex-
The mere presence of these divergences errors as your compiler rips through the tension should, perhaps, go to Micro-
causes the code they allow to appear. customer’s source files, rejecting each soft support for precompiled headers.
If a compiler accepts construct X, then in turn. The customer’s derisive stance Among the most nettlesome troubles
given enough programmers and code, is, “Deep source code analysis? Your is that the compiler skips all the text
eventually X is typed, not rejected, then tool can’t even compile code. How can before an inclusion of a precompiled
encased in the code base, where the it find bugs?” It may find this event so header. The implication of this behav-
static tool will, not helpfully, flag it as a amusing that it tells many friends. ior is that the following code can be
parse error. Tiny set of bad snippets seen in header compiled without complaint:
The tool can’t simply ignore diver- files. One of the first examples we en-
gent code, since significant markets countered of illegal-construct-in-key- I can put whatever I want here.
are awash in it. For example, one enor- header file came up at a large network- It doesn’t have to compile.
mous software company once viewed ing company If your compiler gives an error,
conformance as a competitive disad- it sucks.
vantage, since it would let others make // “redefinition of parameter ’a’” #include <some-precompiled-
tools usable in lieu of its own. Embed- void foo(int a, int a); header.h>
ded software companies make great
tool customers, given the bug aversion The programmer names foo’s first Microsoft’s on-the-fly header fabri-
of their customers; users don’t like it if formal parameter a and, in a form of cation makes things worse.
their cars (or even their toasters) crash. lexical locality, the second as well. Assembly is the most consistently
Unfortunately, the space constraints in Harmless. But any conformant com- troublesome construct. It’s already
such systems and their tight coupling piler will reject this code. Our tool cer- non-portable, so compilers seem to
to hardware have led to an astonishing tainly did. This is not helpful; compil- almost deliberately use weird syn-
oeuvre of enthusiastically used com- ing no files means finding no bugs, and tax, making it difficult to handle in a
piler extensions. people don’t need your tool for that. general way. Unfortunately, if a pro-
Finally, in safety-critical software And, because its compiler accepted it, grammer uses assembly it’s probably
systems, changing the compiler often the potential customer blamed us. to write a widely used function, and
requires costly re-certification. Thus, Here’s an opposite, less-harmless if the programmer does it, the most
we routinely see the use of decades- case where the programmer is trying to likely place to put it is in a widely used
header file. Here are two ways (out defeat when trying to parse real-world grade the version we use, often caus-
of many) to issue a mov instruction large code bases.c Thus, our next step is ing divergence from other unupgraded
for each supported compiler, we write EDG compiler front-ends, and more is-
// First way a set of “transformers” that mangle sues ensue.
foo() { its personal language into something Social versus technical. Can we get cus-
_ _ asm mov eax, eab closer to what EDG can parse. The tomer source code? Almost always, no.
mov eax, eab; most common transformation simply Despite nondisclosure agreements, even
} rips out the offending construct. As for parse errors and preprocessed code,
one measure of how much C does not though perhaps because we are viewed
// Second way exist, the table here counts the lines of as too small to sue to recoup damages.
#pragma asm transformer code needed to make the As a result, our sales engineers must
_ _ asm [ mov eax, eab mov languages accepted by 18 widely used type problems in reports from memory.
eax, eab ] compilers look vaguely like C. A line of This works as well as you might expect.
#pragma end _ asm transformer code was almost always It’s worse for performance problems,
written only when we were burned to a which often show up only in large-code
The only thing shared in addition to degree that was difficult to work around. settings. But one shouldn’t complain,
mov is the lack of common textual keys Adding each new compiler to our list of since classified systems make things
that can be used to elide them. “supported” compilers almost always even worse. Can we send someone on-
We have thus far discussed only C, a requires writing some kind of trans- site to look at the code? No. You listen to
simple language; C++ compilers diverge former. Unfortunately, we sometimes recited syntax on the phone.
to an even worse degree, and we go to need a deeper view of semantics so are
great lengths to support them. On the forced to hack EDG directly. This meth- Bugs
other hand, C# and Java have been eas- od is a last resort. Still, at last count (as Do bugs matter? Companies buy bug-
ier, since we analyze the bytecode they of early 2009) there were more than finding tools because they see bugs as
compile to rather than their source. 406(!) places in the front-end where we bad. However, not everyone agrees that
How to parse not-C with a C front-end. had an #ifdef COVERITY to handle a bugs matter. The following event has
OK, so programmers use extensions. specific, unanticipated construct. occurred during numerous trials. The
How difficult is it to solve this problem? EDG is widely used as a compiler tool finds a clear, ugly error (memory
Coverity has a full-time team of some of front-end. One might think that for cus- corruption or use-after-free) in impor-
its sharpest engineers to firefight this ba- tomers using EDG-based compilers we tant code, and the interaction with the
nal, technically uninteresting problem would be in great shape. Unfortunately, customer goes like thus:
as their sole job. They’re never done.b this is not necessarily the case. Even ig- “So?”
We first tried to make the problem noring the fact that compilers based on “Isn’t that bad? What happens if
someone else’s problem by using the EDG often modify EDG in idiosyncratic you hit it?”
Edison Design Group (EDG) C/C++ ways, there is no single “EDG front- “Oh, it’ll crash. We’ll get a call.”
front-end to parse code.5 EDG has end” but rather many versions and pos- [Shrug.]
worked on how to parse real C code sible configurations that often accept a If developers don’t feel pain, they
since 1989 and is the de facto indus- slightly different language variant than often don’t care. Indifference can arise
try standard front-end. Anyone decid- the (often newer) version we use. As a Si- from lack of accountability; if QA can-
ing to not build a homegrown front- syphean twist, assume we cannot work not reproduce a bug, then there is no
end will almost certainly license from around and report an incompatibility. If blame. Other times, it’s just odd:
EDG. All those who do build a home- EDG then considers the problem impor- “Is this a bug?”
grown front-end will almost certainly tant enough to fix, it will roll it together “I’m just the security guy.”
wish they did license EDG after a few with other patches into a new version. “That’s not a bug; it’s in third-party
experiences with real code. EDG aims So, to get our own fix, we must up- code.”
not just for mere feature compatibility “A leak? Don’t know. The author left
but for version-specific bug compat- c Coverity won the dubious honor of being the
years ago...”
ibility across a range of compilers. Its single largest source of EDG bug reports after No, your tool is broken; that is not
front-end probably resides near the only three years of use. a bug. Given enough code, any bug-
limit of what a profitable company can
do in terms of front-end gyrations. Lines of code per transformer for 18 common compilers we support.
Unfortunately, the creativity of com-
piler writers means that despite two de- 160 QNX 280 HP-UX 285 picc.cpp
cades of work EDG still regularly meets 294 sun.java.cpp 384 st.cpp 334 cosmic.cpp
421 intel.cpp 457 sun.cpp 603 iccmsa.cpp
b Anecdotally, the dynamic memory-checking
629 bcc.cpp 673 diab.cpp 756 xlc.cpp
tool Purify10 had an analogous struggle at the
machine-code level, where Purify’s developers 912 ARM 914 GNU 1294 Microsoft
expended significant resources reverse engi- 1425 keil.cpp 1848 cw.cpp 1665 Metrowerks
neering the various activation-record layouts
used by different compilers.
finding tool will uncover some weird the work for you. The more people in
examples. Given enough coders, the room, the more likely there is some-
you’ll see the same thing. The fol- one very smart and respected and cares
lowing utterances were culled from (about bugs and about the given code),
trial meetings:
Upon seeing an error report saying …it’s not can diagnose an error (to counter argu-
ments it’s a false positive), has been
the following loop body was dead code
foo(i = 1; i < 0; i++)
uncommon for burned by a similar error, loses his/her
bonus for errors, or is in another group
... deadcode ... tool improvement (another potential sale).
“No, that’s a false positive; a loop ex-
ecutes at least once.”
to be viewed Further, a larger results meeting
increases the probability that anyone
For this memory corruption error as “bad” or at laid off at a later date attended it and
(32-bit machine)
least a problem. saw how your tool worked. True story:
A networking company agreed to buy
int a[2], b; the Coverity product, and one week
memset(a, 0, 12); later laid off 110 people (not because of
us). Good or bad? For the fired people
“No, I meant to do that; they are next it clearly wasn’t a happy day. However,
to each other.” it had a surprising result for us at a
For this use-after-free business level; when these people were
hired at other companies some sug-
free(foo); gested bringing the tool in for a trial,
foo->bar = ...; resulting in four sales.
What happens when you can’t fix
“No, that’s OK; there is no malloc all the bugs? If you think bugs are bad
call between the free and use.” enough to buy a bug-finding tool, you
As a final example, a buffer overflow will fix them. Not quite. A rough heuris-
checker flagged a bunch of errors of the tic is that fewer than 1,000 bugs, then
form fix them. More? The baseline is to re-
cord the current bugs, don’t fix them
unsigned p[4]; but do fix any new bugs. Many compa-
... nies have independently come up with
p[4] = 1; this practice, which is more rational
than it seems. Having a lot of bugs usu-
“No, ANSI lets you write 1 past the ally requires a lot of code. Much of it
end of the array.” won’t have changed in a long time. A
After heated argument, the program- reasonable, conservative heuristic is
mer said, “We’ll have to agree to dis- if you haven’t touched code in years,
agree.” We could agree about the dis- don’t modify it (even for a bug fix) to
agreement, though we couldn’t quite avoid causing any breakage.
comprehend it. The (subtle?) interplay A surprising consequence is it’s not
between 0-based offsets and buffer siz- uncommon for tool improvement to be
es seems to come up every few months. viewed as “bad” or at least a problem.
While programmers are not often Pretend you are a manager. For anything
so egregiously mistaken, the general bad you can measure, you want it to di-
trend holds; a not-understood bug minish over time. This means you are
report is commonly labeled a false improving something and get a bonus.
positive, rather than spurring the pro- You may not understand techni-
grammer to delve deeper. The result? cal issues that well, and your boss cer-
We have completely abandoned some tainly doesn’t understand them. Thus,
analyses that might generate difficult- you want a simple graph that looks like
to-understand reports. Figure 1; no manager gets a bonus for
How to handle cluelessness. You can- Figure 2. Representative story: At com-
not often argue with people who are pany X, version 2.4 of the tool found
sufficiently confused about technical approximately 2,400 errors, and over
matters; they think you are the one time the company fixed about 1,200 of
who doesn’t get it. They also tend to get them. Then it upgraded to version 3.6.
emotional. Arguing reliably kills sales. Suddenly there were 3,600 errors. The
What to do? One trick is to try to orga- manager was furious for two reasons:
nize a large meeting so their peers do One, we “undid” all the work his people
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 73
contributed articles
Figure 1. Bugs down over bugs. The easiest sale is to a group whose result. What users want: different input
time = manager bonus. code you are checking that was horribly (modified code base) + different func-
burned by a specific bug last week, and tion (tool version) = same result. As a
you find it. If you don’t find it? No mat- result, we find upgrades to be a constant
ter the hundreds of other bugs that may headache. Analysis changes can easily
be the next important bug. cause the set of defects found to shift.
bad Here is an open secret known to bug The new-speak term we use internally is
finders: The set of bugs found by tool “churn.” A big change from academia is
A is rarely a superset of another tool B, that we spend considerable time and en-
even if A is much better than B. Thus, ergy worrying about churn when modify-
the discussion gets pushed from “A is ing checkers. We try to cap churn at less
better than B” to “A finds some things, than 5% per release. This goal means
time
B finds some things” and does not help large classes of analysis tricks are disal-
the case of A. lowed since they cannot obviously guar-
had done, and two, how could we have Adding bugs can be a problem; los- antee minimal effect on the bugs found.
missed them the first time? ing already inspected bugs is always a Randomization is verboten, a tragedy
How do upgrades happen when problem, even if you replace them with given that it provides simple, elegant so-
more bugs is no good? Companies in- many more new errors. While users lutions to many of the exponential prob-
dependently settle on a small number know in theory that the tool is “not a lems we encounter. Timeouts are also
of upgrade models: verifier,” it’s very different when the tool bad and sometimes used as a last resort
Never. Guarantees “improvement”; demonstrates this limitation, good and but never encouraged.
Never before a release (where it would hard, by losing a few hundred known er- Myth: More analysis is always good.
be most crucial). Counterintuitively hap- rors after an upgrade. While nondeterministic analysis might
pens most often in companies that be- The easiest way to lose bugs is to add cause problems, it seems that adding
lieve the tool helps with release quality just one to your tool. A bug that causes more deterministic analysis is always
in that they use it to “gate” the release; false negatives is easy to miss. One such good. Bring on path sensitivity! Theorem
Never before a meeting. This is at least bug in how our early research tool’s proving! SAT solvers! Unfortunately, no.
socially rational; internal representation handled array At the most basic level, errors found
Upgrade, then roll back. Seems to hap- references meant the analysis ignored with little analysis are often better than
pen at least once at large companies; most array uses for more than nine errors found with deeper tricks. A good
and months. In our commercial product, error is probable, a true error, easy to di-
Upgrade only checkers where they fix blatant situations like this are prevent- agnose; best is difficult to misdiagnose.
most errors. Common checkers include ed through detailed unit testing, but un- As the number of analysis steps increas-
use-after-free, memory corruption, covering the effect of subtle bugs is still es, so, too, does the chance of analysis
(sometimes) locking, and (sometimes) difficult because customer source code mistake, user confusion, or the per-
checkers that flag code contradictions. is complex and not available. ceived improbability of event sequence.
Do missed errors matter? If people No analysis equals no mistake.
don’t fix all the bugs, do missed errors Churn Further, explaining errors is often
(false negatives) matter? Of course not; Users really want the same result from more difficult than finding them. A
they are invisible. Well, not always. run to run. Even if they changed their misunderstood explanation means the
Common cases: Potential customers code base. Even if they upgraded the tool. error is ignored or, worse, transmuted
intentionally introduced bugs into the Their model of error messages? Compil- into a false positive. The heuristic we
system, asking “Why didn’t you find it?” er warnings. Classic determinism states: follow: Whenever a checker calls a com-
Many check if you find important past the same input + same function = same plicated analysis subroutine, we have to
explain what that routine did to the user,
Figure 2. No bonus.
and the user will then have to (correctly)
manually replicate that tricky thing in
his/her head.
Sophisticated analysis is not easy to
explain or redo manually. Compound-
ing the problem, users often lack a
strong grasp on how compilers work.
A representative user quote is “‘Static’
bad analysis’? What’s the performance over-
head?”
The end result? Since the analysis
that suppresses false positives is invis-
ible (it removes error messages rather
time than generates them) its sophistication
has scaled far beyond what our research
system did. On the other hand, the effort to achieve low false-positive rates perience covered here was the work of
commercial Coverity product, despite in our static analysis product. We aim many. We thank all who helped build the
its improvements, lags behind the re- for below 20% for “stable” checkers. tool and company to its current state,
search system in some ways because it When forced to choose between more especially the sales engineers, support
had to drop checkers or techniques that bugs or fewer false positives we typi- engineers, and services engineers who
demand too much sophistication on cally choose the latter. took the product into complex environ-
the part of the user. As an example, for Talking about “false positive rate” is ments and were often the first to bear
many years we gave up on checkers that simplistic since false positives are not the brunt of problems. Without them
flagged concurrency errors; while find- all equal. The initial reports matter in- there would be no company to docu-
ing such errors was not too difficult, ex- ordinately; if the first N reports are false ment. We especially thank all the cus-
plaining them to many users was. (The positives (N = 3?), people tend to utter tomers who tolerated the tool during
PREfix system also avoided reporting variants on “This tool sucks.” Further- its transition from research quality to
races for similar reasons though is now more, you never want an embarrass- production quality and the numerous
supported by Coverity.) ing false positive. A stupid false posi- champions whose insightful feedback
No bug is too foolish to check for. Giv- tive implies the tool is stupid. (“It’s not helped us focus on what mattered.
en enough code, developers will write even smart enough to figure that out?”)
almost anything you can think of. Fur- This technical mistake can cause so- References
1. Ball, T. and Rajamani, S.K. Automatically validating
ther, completely foolish errors can be cial problems. An expensive tool needs temporal safety properties of interfaces. In
some of the most serious; it’s difficult to someone with power within a company Proceedings of the Eighth international SPIN
Workshop on Model Checking of Software (Toronto,
be extravagantly nonsensical in a harm- or organization to champion it. Such Ontario, Canada). M. Dwyer, Ed. Springer-Verlag, New
less way. We’ve found many errors over people often have at least one enemy. York, 2001, 103–122.
2. Bush, W., Pincus, J., and Sielaff, D. A static analyzer
the years. One of the absolute best was You don’t want to provide ammunition for finding dynamic programming errors. Software:
the following in the X Window System: that would embarrass the tool champi- Practice and Experience 30, 7 (June 2000), 775–802.
3. Coverity static analysis; http://www.coverity.com
on internally; a false positive that fits in 4. Das, M., Lerner, S., and Seigle, M. ESP: Path-
if(getuid() != 0 && geteuid == 0) { a punchline is really bad. sensitive program verification in polynomial
time. In Proceedings of the ACM SIGPLAN 2002
ErrorF(“only root”); Conference on Programming Language Design and
exit(1); Conclusion Implementation (Berlin, Germany, June 17–19). ACM
Press, New York, 2002, 57–68.
} While we’ve focused on some of the 5. Edison Design Group. EDG C compiler front-end;
less-pleasant experiences in the com- http://www.edg.com
6. Engler, D., Chelf, B., Chou, A., and Hallem, S. Checking
It allowed any local user to get root mercialization of bug-finding prod- system rules using system-specific, programmer-
accessd and generated enormous press ucts, two positive experiences trump written compiler extensions. In Proceedings of the
Fourth Conference on Operating System Design &
coverage, including a mention on Fox them all. First, selling a static tool has Implementation (San Diego, Oct. 22–25). USENIX
Association, Berkeley, CA, 2000, 1–1.
news (the Web site). The checker was become dramatically easier in recent 7. Flanagan, C., Leino, K.M., Lillibridge, M., Nelson, G.,
written by Scott McPeak as a quick hack years. There has been a seismic shift in Saxe, J.B., and Stata, R. Extended static checking
for Java. In Proceedings of the ACM SIGPLAN
to get himself familiar with the system. It terms of the average programmer “get- Conference on Programming Language Design and
made it into the product not because of ting it.” When you say you have a static Implementation (Berlin, Germany, June 17–19). ACM
Press, New York, 2002, 234–245.
a perceived need but because there was bug-finding tool, the response is no lon- 8. Foster, J.S., Terauchi, T., and Aiken, A. Flow-sensitive
no reason not to put it in. Fortunately. ger “Huh?” or “Lint? Yuck.” This shift type qualifiers. In Proceedings of the ACM SIGPLAN
2002 Conference on Programming Language Design
seems due to static bug finders being in and Implementation (Berlin, Germany, June 17–19).
False Positives wider use, giving rise to nice network- ACM Press, New York, 2002, 1–12.
9. Hallem, S., Chelf, B., Xie, Y., and Engler, D. A system
False positives do matter. In our experi- ing effects. The person you talk to likely and language for building system-specific, static
ence, more than 30% easily cause prob- knows someone using such a tool, has a analyses. In Proceedings of the ACM SIGPLAN
Conference on Programming Language Design and
lems. People ignore the tool. True bugs competitor that uses it, or has been in a Implementation (Berlin, Germany, June 17–19). ACM
get lost in the false. A vicious cycle starts company that used it. Press, New York, 2002, 69–82.
10. Hastings, R. and Joyce, B. Purify: Fast detection of memory
where low trust causes complex bugs Moreover, while seemingly vacuous leaks and access errors. In Proceedings of the Winter
to be labeled false positives, leading to tautologies have had a negative effect 1992 USENIX Conference (Berkeley, CA, Jan. 20–24).
USENIX Association, Berkeley, CA, 1992, 125–138.
yet lower trust. We have seen this cycle on technical development, a nice bal- 11. Xie, Y. and Aiken, A. Context- and path-sensitive
memory leak detection. In Proceedings of the 10th
triggered even for true errors. If people ancing empirical tautology holds that European Software Engineering Conference Held
don’t understand an error, they label it bug finding is worthwhile for anyone Jointly with 13th ACM SIGSOFT International
Symposium on Foundations of Software Engineering
false. And done once, induction makes with an effective tool. If you can find (Lisbon, Portugal, Sept. 5–9). ACM Press, New York,
the (n+1)th time easier. We initially code, and the checked system is big 2005, 115–125.
thought false positives could be elimi- enough, and you can compile (enough
nated through technology. Because of of) it, then you will always find serious Al Bessey, Ken Block, Ben Chelf, Andy Chou,
Bryan Fulton, Seth Hallem, Charles Henri-Gros,
this dynamic we no longer think so. errors. This appears to be a law. We en- Asya Kamsky, and Scott McPeak are current or former
employees of Coverity, Inc., a software company based
We’ve spent considerable technical courage readers to exploit it. in San Francisco, CA.; http://www.coverity.com
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 75
contributed articles
D OI:10.1145/ 1646353.1646373
the period from 1995 to the present, a
The National Academy of Sciences recommends time of rapid expansion and contrac-
tion of the field in response to the In-
what the U.S. government should do to help ternet boom, a precipitous stock-mar-
maintain American IT leadership. ket collapse, increased competition
through globalization of the industry,
BY ERIC BENHAMOU, JON EISENBERG, AND RANDY H. KATZ and an economy-disrupting terrorist
attack and subsequent aftershocks to
Assessing
the economy, the full implications of
which have yet to be understood.
While the committee’s study fo-
cused on global developments and
the Changing
their implications, particularly for
the U.S., the report, which was issued
in February 2009, is of interest to re-
searchers and policymakers in all of
U.S. IT R&D
the world’s IT-intensive economies, as
the globalization of the industry accel-
erates with the rise of India and China
as major centers.
Ecosystem
Here, we summarize the report’s ob-
servations, findings, and recommen-
dations (http://www.nap.edu/catalog.
php?record_id=12174), covering sev-
eral main themes:
! IT’s central role in the developed
world;
! The committee’s assessments of
the IT R&D ecosystem, with inevitable
U.S.-centric view, calling for increased
and balanced investment in IT research
Academy of Sciences was
T H E U. S. N AT I O N A L by the U.S. government, with support-
established by President Abraham Lincoln in 1863 ing investment in education and out-
reach to develop a high-skills/infor-
to provide unbiased assessment of scientific and mation-technology-aware work force,
technology policy issues facing the U.S. government a commitment to reduce the “friction”
(http://www.nas.edu). In 2006, the Academy’s the IT industry faces in the U.S. econ-
omy (such as in its highly litigious in-
Computer Science and Telecommunication Board, tellectual property system and regula-
under the sponsorship of the U.S. National Science tory regimes whose compliance unduly
burdens small companies significantly
Foundation, established a committee of experts in more than larger ones) and expanded
the fields of IT research (Randy Katz, Ed Lazowska, commitment to develop a leading-edge
Raj Reddy), venture investment (Eric Benhamou, U.S. IT infrastructure; and
! The American Recovery and Rein-
David Nagel, Arati Prabhakar), economics of vestment Act of 2009 and the actions
innovation and globalization (Andrew Hargadon, taken by the Obama administration
directly relevant to the recommenda-
Martin Kenney, Steven Klepper), and labor and work- tions of the committee.
force issues (Stephen Barley, Lucy Sanders) to assess
the effects of changes in the U.S. IT R&D ecosystem IT Impact
Advances in IT and its applications
(http://sites.nationalacademies.org/CSTB/index. represent a signal success for U.S. sci-
htm). The committee took as its charter to examine entific, engineering, business, and
,&"& & ,%&*',)* )#+*
&)*+),+,) ,$+"'&
("+$
$'.* &)')%)* '&*,%))-"*'%%)"$
&,*+)"$'$+"'&$ )'&'"$ )
&+)&+"'&$
"&&"$
%$$",%) (&'%%,&"+0 ',&+"& ,$*
&+,)("+$ !
")%* )',+ -$'(%&+ -$'(%&+ & ,$+"'&*
&+$$+,$
&,*+)"$& -&'&(+ !&'$' 0 )'()+0
&,*+)0 $+')%*
'-)&%&+* /)"+*
(($"*)! *)!'%(,+"& &*"'&*
'-)&%&+ &+.')#*
&"-)*"+"* $+!)
*"*)!
%%" )+"'&
')" &
'-)&%&+&
')" & 1
&,*+)0'$""*
')#)* ')
,&"&
+,&+*
has been achieved, not just from the ! Global economic financial crisis Much has been learned from de-
government investment in foundation- (2008). cades of experience about what con-
al research, but from a vibrant venture These shocks took their toll, and in stitutes an environment that fosters
community able and willing to provide the view of the committee, government successful research and its transition
the risk capital to fund the commercial- actions are necessary to sustain the to commercial formation. The follow-
ization of new ideas from which such U.S. IT R&D ecosystem. The U.S. gov- ing insights are extracted from a 2003
industrial sectors are able to grow. ernment should: Academy report from the National
! Strengthen the effectiveness of Research Council called Innovation in
Assessing the Ecosystem government-funded IT research; Information Technology (The National
The U.S. IT R&D ecosystem was the envy ! Remain the strongest generator of Academies Press, Washington, D.C.,
of the world in 1995; Figure 2 outlines and magnet for technical talent; 2003 http://www.nap.edu/openbook.
its essential elements: university and ! Reduce the friction that harms the php?isbn=0309089808):
industrial research enterprises; emerg- effectiveness of the U.S. IT R&D ecosys- On the results of research:
ing start-up companies and more ma- tem while maintaining other impor- ! U.S. international leadership in
ture technology companies; the indus- tant political and economic objectives; IT (vital to the country) springs from a
try that finances innovative firms; and and deep tradition of research;
the regulatory environment and legal ! Ensure that the U.S. has an infra- ! The unanticipated results of re-
frameworks. From the perspective of structure for communications, com- search are often as important as the
IT, the U.S. enjoyed a strong industrial puting, applications, and services that anticipated results; and
base, the ability to create and leverage enables U.S. IT users and innovators to ! The interaction of research ideas
new technological advances, and an ex- lead the world. multiplies their effect; for example,
traordinary system for creating world- Potential high-value societal ben- concurrent research programs target-
class technology companies. efits of continued investment in IT in- ing integrated circuit design, computer
The period from 1995 to the present clude: graphics, networking, and workstation-
has been a turbulent one for the U.S. ! Safer, robotics-enhanced automo- based computing strongly reinforce
and the world, as characterized by: biles; and amplify one another.
! Irrational exuberance for IT stocks ! A more scalable, manageable, se- On research as a partnership:
and the NASDAQ bust (2000); cure, robust Internet; ! The success of the IT research en-
! Y2K and the development of the ! Personalized and collaborative ed- terprise reflects a complex partnership
Indian software industry; ucational tools for tutoring and just-in- among government, industry, and uni-
! Aftereffects of the terror attacks of time learning; versities;
September 11, 2001; ! Personalized health monitoring; ! The federal government has had
! Financial scandals and bankrupt- ! Augmented cognition to help peo- and will continue to have an essential
cies (2001); ple cope with information overload; role in sponsoring fundamental re-
! Surviving after the bubble burst and search in IT (largely university-based)
(2001–2004); ! IT-driven advances in all fields of because it does what industry cannot
! Recovery (2005–2007); and science and engineering. do. Industrial and governmental in-
vestment in research reflects different Inevitable Globalization of IT This is particularly true of such areas
motivations, resulting in differences in Another significant trend, analyzed in as IT education, U.S. government IT
style, focus, and time horizon; detail in the report, is how the IT in- research funding, and the regulations
! Companies have little incentive to dustry has become more globalized, that affect the corporate overhead and
invest significant amounts in activi- especially with the dramatic rise of the competitiveness of innovative IT com-
ties whose benefits spread quickly to economies of India and China, fueled panies. As a result, the U.S. position in
their rivals. Fundamental research of- in no small part by their development IT leadership today has eroded com-
ten falls into this category. By contrast, of vibrant IT industries. Moreover, In- pared to that of prior decades, and IT
the vast majority of corporate R&D ad- dia and China represent fast-growing leadership may pass to other nations
dresses product-and-process develop- markets for IT products, with both within a generation unless the U.S.
ment; and likely to grow their IT industries into recommits itself to providing the re-
! Government funding for research economic powerhouses for the world, sources needed to fuel U.S. IT innova-
has leveraged the effective decision reflecting both deliberate government tion, removing important roadblocks
making of visionary program manag- policies and the existence of strong, that reduce the ecosystem’s effective-
ers and program-office directors from vibrant private-sector firms, both do- ness in generating innovation and the
the research community, empowering mestic and foreign. Ireland, Israel, fruits of innovation, and becoming a
them to take risks in designing pro- Japan, Korea, and Taiwan, as well as lead innovator and user of IT.
grams and selecting grantees. Govern- some Scandinavian countries, have In 2009, the ecosystem also faced
ment sponsorship of research, espe- also developed strong niches within new challenges from a global eco-
cially in universities, also helps develop the increasingly globalized industry. nomic crisis that continues to unfold.
the IT talent used by industry, universi- Today, a product conceptualized and There has been a marked reduction in
ties, and other parts of the economy. marketed in the U.S. might be designed the availability of venture capital fol-
On the economic payoff of research: to specifications in Taiwan, and batter- lowing losses in pension funds and
! Past returns on federal investment ies or hard drives obtained from Japan endowments, as well as in initial pub-
in IT research have been extraordi- might become parts in a product as- lic offerings by technology companies
nary for both U.S. society and the U.S. sembled in China. High-value software and a decline in mergers and acquisi-
economy. The transformative effects and integrated circuits at the heart of a tions. There is also a steep decline in
of IT grow as innovations build on one product might be designed and devel- consumer confidence, suggesting that
another and as user know-how com- oped in the U.S., fabricated in Taiwan, a consumer-driven recovery is unlikely
pounds. Priming that pump for tomor- and incorporated into a product as- in the near term. Significant layoffs
row is today’s challenge; and sembled from components supplied and hiring cutbacks in IT firms and
! When companies create products from around the world. across the global economy seem all but
using the ideas and work force that re- Unfortunately, during a period of certain to adversely affect the IT R&D
sult from federally sponsored research, rapid globalization, U.S. national poli- ecosystem, undermining the partial re-
they repay the nation in jobs, tax reve- cies have not sufficiently buttressed covery seen over the past few years. The
nue, productivity increases, and world the ecosystem or generated side effects magnitude, duration, and enduring ef-
leadership. that have reduced its effectiveness. fects on the ecosystem of the downturn
are not yet clear.
Globalization is a broad and sweep-
ing phenomenon that cannot be con-
tained. If embraced rather than resist-
ed, the committee concluded that it
presents more opportunity than threat
to the U.S. national IT R&D ecosystem.
PHOTOGRA PH COURT ESY OF T H E NATIONA L CENTER FOR CO MPUTATIONAL SCIENCES
novative firms; and create an environ- reflect the importance of IT to the na-
ment that ensures deployment of the tion’s society and economy as a whole
most advanced technology infrastruc- and would allow the U.S. to build and
tures, applications, and services in the sustain the already large positive effect
U.S. itself for the benefit of the nation’s
people, institutions, and firms. Imagine spending of IT on its economy. The desirability
of increased federal investment in IT
en, people with disabilities, and all es of increased friction in the conduct Objective 4. Ensure that the U.S. has
minorities is especially low and declin- of business in the U.S. and can have the the infrastructure that enables U.S. IT us-
ing. This low level of participation will effect of making other countries more ers and innovators to lead the world. The
affect the ability of the U.S. to meet its attractive places to establish the small, U.S. has long enjoyed the position of be-
work-force needs and place it at a com- innovative companies that are essential ing the largest market for IT; global de-
petitive disadvantage by not allowing it components of the ecosystem. These mographics and relative growth rates
to capitalize on the innovative thinking issues are not simple; for example, in suggest this advantage is unlikely to
of half its population. terms of corporate governance, the endure. Fortunately, although a healthy
Recommendation. To build such dampening effects of increased regula- domestic IT market is an important ele-
a skilled work force it needs to re- tion must be weighed against the ben- ment of a healthy domestic ecosystem,
tain high-value IT industries, the U.S. efits of restoring and maintaining pub- market size is not the only factor in
should invest more in education and lic confidence in equity markets. But to leadership. The environment fostered
outreach initiatives to nurture and in- keep the U.S. attractive for new venture by leading-edge users of technology
crease its IT talent pool. formation and to sustain the nation’s (including those who can leverage re-
Finding. Although some IT profes- unrivaled ability to transform innova- search, innovate, and create additional
sional jobs will be offshored, at the time tive new concepts into category-defin- value) creates the context for IT’s next
the committee completed its report in ing products and services the world wave and its effective application. In
2008, it found there were more IT jobs in desires, the potential effects on the IT such an environment, all sectors of so-
the U.S. than at any time during the dot- R&D ecosystem should be weighed in ciety (including consumers, business-
com boom, even in the face of corporate considering new measures or reforms es, and governments) exploit and make
offshoring trends. While this may no in such areas as corporate governance the best use of advanced IT. But there
longer be true in the wake of the global and intellectual property litigation. are indications that the U.S. has indeed
recession, anecdotal evidence indicates Finding. Fewer young, innovative IT lost its leadership in the use of IT.
strong demand for new graduates in companies are gaining access to U.S. In particular, the U.S. broadband
computer science programs nationally. public equity markets. infrastructure is not as advanced or
Recommendation. The U.S. should Recommendation. Congress and fed- as widely deployed as that in many
increase the availability and facilitate eral agencies (such as the Securities other countries. Should this situation
the issuance of work and residency vi- and Exchange Commission http://www. persist, the U.S. will no longer be the
sas to foreign students who graduate sec.gov/ and the Patent and Trademark nation in which the most innovative,
with advanced IT degrees from U.S. Office http://www.uspto.gov/) should most advanced technology and highest
educational institutions. consider the effect of both current and value-added products and services are
Objective 3. Reduce friction that proposed policies and regulations on conceptualized and developed.
harms the effectiveness of the U.S. IT R&D the IT ecosystem, especially on young, Moreover, in addition to broadly
ecosystem. Such factors as intellectual innovative IT businesses, and consider fostering research and commercial in-
property litigation and corporate gover- measures to mitigate them where ap- novation, government-sponsored R&D
nance regulations have become sourc- propriate. can help meet particular government
demands. Though the government
is no longer a lead IT user across the
board, it continues to play an appropri-
ate leadership role where federal-agen-
cy requirements are particular to their
missions and commercial analogs are
scarce or nonexistent.
Finding. The most dynamic IT sec-
tor is likely to be in the country with
the most demanding IT customers and
consumers.
Finding. In terms of nationwide
availability, use, and speed of broad-
band, the U.S. (a former leader in the
technology) has been losing ground
compared with other nations.
PHOTOGRA PH COURT ESY OF TECH AM ERICA
necks and increase incentives for in- a one-time increase in funding, we are
vestment in these services. optimistic that the Obama administra-
Recommendation. Government (fed- tion’s and Congress’s commitment to
eral, state, local) should foster com- science and technology will continue.
mercial innovation and itself make
strategic investments in IT R&D and The U.S. should Acknowledgments
deployment so the U.S. retains a global play to its We thank the entire membership and
strengths, notably
lead position in areas where it has par- staff of the Committee on Assessing
ticular mission requirements. the Impacts of Changes in the Infor-
Recent
Could this possibly be true: that there
is a more fundamental notion of algo-
rithmic efficiency for computers built
from quantum components? And, if
this is true, what exactly is the power
Progress in
of these quantum algorithms?
The shot that rang round the compu-
tational world announcing the arrival
of the quantum algorithm was the 1994
Quantum
discovery by Peter Shor that quantum
computers could efficiently factor nat-
ural numbers and compute discrete
logarithms.24 The problem of finding
efficient algorithms for factoring has
Algorithms
been burning the brains of mathema-
ticians at least as far back as Gauss
who commented upon the problem
that “the dignity of science seems to
demand that every aid to the solution
of such an elegant and celebrated
problem be zealously cultivated.” Even
more important than the fact that
such a simple and central problem has
eluded an efficient algorithmic solu-
it is impossible to imagine today’s technological tion is that the lack of such an efficient
world without algorithms: sorting, searching, algorithm has been used as a justifica-
tion for the security of public key cryp-
calculating, and simulating are being used tosystems, like RSA encryption.23 Shor’s
every where to make our everyday lives better. But algorithm, then, didn’t just solve a
problem of pure academic interest, but
what are the benefits of the more philosophical instead ended up showing how quan-
endeavor of studying the notion of an algorithm tum computers could break the vast
through the perspective of the physical laws of majority of cryptographic protocols in
widespread use today. If we want the
the universe? This simple idea, that we desire content of our publicly key encrypted
an understanding of the algorithm based upon messages to remain secret not only
physics seems, upon first reflection, to be nothing now, but also in the future, then Shor’s
algorithm redefines the scope of our
more than mere plumbing in the basement of confidence in computer security: we
ILLUSTRATION BY MO ND OLITH IC ST UDIOS
computer science. That is, until one realizes communicate securely, today, given
that we cannot build a large scale
that the pipes of the universe do not seem to quantum computer tomorrow.
behave like the standard components out of Given the encryption breaking pow-
which we build a computer, but instead obey the ers promised by quantum comput-
ers, it was natural that, in the decade
counterintuitive laws of quantum theory. And, following Shor’s discovery, research
even more astoundingly, when one puts these has focused largely on whether a
quantum computer could be built. for searching (a quantum algorithm all, probabilities. When we observe
While there currently appear to be no that can search an unstructured space a classical system, we will always find it
fundamental obstacles toward build- quadratically faster than the best clas- to exist in one particular configuration
ing a large scale quantum computer sical algorithm), but explaining some (i.e. one particular binary string) with
(and even more importantly, a older algorithms in order to set con- the probability given by the 2n num-
result known as the “threshold text. For a good reference for learn- bers in our probability distribution.
theorem”1, 16–18, 25 shows that quan- ing about such early, now “classic” Now let’s turn this approach to
tum computers can be made resil- algorithms (like Grover’s algorithm quantum systems, and consider a
ient against small amounts of noise, and Shor’s algorithm) we refer the system made up of n qubits. Again, n
thereby confirming that these are reader to the textbook by Nielsen and qubits will have a configuration which
not analog machines), the engineer- Chuang.21 Our discussion is largely is just a length n binary string. When
ing challenges posed to build an RSA ahistoric and motivated by attempt- you observe n qubits you will only see
breaking quantum computer are ing to give the reader intuition as to an n bit configuration (thus when you
severe and the largest quantum com- what motivated these new quantum hear someone say that a qubit is both
puters built to date have less than algorithms. Astonishingly, we will see zero and one at the same time you
10 quantum bits (qubits).13, 19 But that progress in quantum algorithms can rely on your common sense tell
regardless of the progress in build- has brought into the algorithmic fold them that this is absurd). But now,
ing a quantum computer, if we are to basic ideas that have long been foun- instead of describing our system by 2n
seriously consider our understanding dational in physics: interference, probabilities, we describe a quantum
of computation as being based upon scattering, and group representation system by 2n amplitudes. Amplitudes,
experimental evidence, we will have theory. Today’s quantum algorithm unlike probabilities (which were
to investigate the power of quantum designers plunder ideas from physics, positive real numbers and which
algorithms. Christos Papadimitriou mathematics, and chemistry, weld summed to unity), are complex num-
said in a recent interview26 that the them with the tried and true methods bers which, when you take their abso-
theory of computational complexity is of classical computer science, in order lute value-squared and add them up,
such a difficult field because it is nearly to build a new generation of quantum sum to unity. Given the 2n amplitudes
impossible to prove what everyone contraptions which can outperform describing a quantum system, if you
knows from experience. How, then, their classical counterparts. observe the system, you will see a par-
can we even begin to gain an under- ticular configuration with a probabil-
standing of the power of quantum Quantum Theory in a Nutshell ity given by the modulus squared of
computers if we don’t have one from Quantum theory has acquired a reputa- the amplitude for that configuration.
which to gain such an experience? tion as an impenetrable theory acces- In other words, quantum systems are
Further, and perhaps even more chal- sible only after acquiring a significant described by a set of 2n complex num-
lenging, quantum algorithms seem to theoretical physics background. One bers that are a bit like square roots of
be exploiting the very effects that make of the lessons of quantum comput- probabilities (see Figure 1).
quantum theory so uniquely counter- ing is that this is not necessarily true: So far we have just said that there is
intuitive.6 Designing algorithms for quantum computing can be learned this different description for quantum
a quantum computer is like building without mastering vast amounts of systems, you describe them by ampli-
a car without having a road or gas to physics, but instead by learning a few tudes and not by probabilities. But
take it for a test drive. simple differences between quantum does this really have a consequence?
In spite of these difficulties, a and classical information. Before dis- After all the amplitudes aren’t used so
group of intrepid multidisciplinary cussing quantum algorithms we first far, except to calculate probabilities.
researchers have been tackling the give a brief overview of why this is true In order to see that yes, indeed, it does
question of the power of quantum and point out the distinguishing fea-
algorithms in the decades since Shor’s tures that separate quantum informa- Figure 1. Classical versus
quantum information.
discoveries. Here we review recent tion from classical information.
progress on the upper bounding side To describe a deterministic n-bit On the left, the classical bit is described by two
of this problem: what new quantum system it is sufficient to write down its nonnegative real numbers for its probabilities
algorithms have been discovered configuration, which is simply a binary Pr(0) = 1/3 and Pr(1) = 2/3. The quantum bit
on the right, instead, has two complex valued
that outperform classical algorithms string of length n. If, however, we have amplitudes that give the (same) probabilities by
and what can we learn from these n-bits that can change according to pro- taking the absolute value-squared of its entries.
discoveries? Indeed, while Shor’s babilistic rules (we allow randomness When a quantum system has such a description
factoring algorithm is a tough act to into how we manipulate these bits), we with nonzero amplitudes, one says that the
system is in a superposition of the 0 and 1
follow, significant progress in quan- will instead have to specify the prob- configurations.
tum algorithms has been achieved. ability distribution of the n-bits. This
1 −1
We concentrate on reviewing the means to specify the system we require
3 Ö3
more recent progress on this prob- 2n positive real numbers describing Classical bit: Quantum bit:
lem, skipping the discussion of early the probability of the system being in a 2 1+i
(but still important) quantum algo- given configuration. These 2n numbers 3 Ö3
rithms such as Grover’s algorithm12 must sum to unity since they are, after
have a profound consequence, we essential question at hand when con- this for another time step, we see that
must next describe how to update our sidering quantum algorithms. In we have an amplitude of ½ to be at
description of a system as it changes this survey we single out three major −2 or 2 and an amplitude 1 to be at 0.
in time. One can think about this as differences—quantum interference, Unfortunately if we square these num-
analyzing an algorithm where informa- the deep relationship between sym- bers and add them up, we get a num-
tion in our computing device changes metries and quantum mechanics, and ber greater than unity, indicating that
with time according to a set of specific quantum entanglement—and show the evolution we have described is not
recipe of changes. how they are related to recent prog- unitary.
For a classical probabilistic com- ress in quantum algorithms. The solution to this problem is to
puting device we can describe how let the drunkard flip a quantum coin at
it changes in time by describing the Interference and the Quantum each time step, after which he steps in
conditional probability that the sys- Drunkard’s Walk the direction indicated by the quantum
tem changed into a new configuration The first of our claimed differences coin. What is a quantum coin? A quan-
given that it was in an old configura- between quantum computers and clas- tum coin is simply a qubit whose two
tion. Such a set of conditional prob- sical computers was that the former configurations we can call “forward”
abilities means that we can describe led to effects of quantum interference. and “backward” indicating the direc-
a probabilistic computing action by What is interference and how can it tion we are supposed to move after flip-
a stochastic matrix (a matrix whose lead to new efficient algorithms? ping the quantum coin. How do we flip
entries are positive and whose col- To illustrate the ideas of interfer- such a coin? We apply a unitary trans-
umns sum to unity). A classical proba- ence, consider a random walk on a form. This unitary transform must
bilistic algorithm can then be viewed line. The standard, classical drunk- specify four amplitudes. One choice of
as just a set of stochastic matrices ard’s walk on a line refers to situation such a unitary transform that seems to
describing how probabilities propa- where the walker is allowed to step mimic the drunkard’s walk is to assign
gate through the computing device. either forward or backward with equal all conditional amplitudes a value of
If the classical probabilistic algo- probability every unit time step. When one over the square root of two, with the
rithm starts with n bits and ends with starting at position 0 at time zero, exception of the amplitude to change
m bits, then the stochastic matrix then after one time step there is an from the configuration “forward” to
describing the algorithm will be a 2m equal probability to be at locations +1 the configuration “backward,” which,
by 2n matrix. and −1. After the next time step, there due to unitarity, we assign the ampli-
What is the analogous procedure is a one-fourth probability of being at tude negative one over square root of
for a quantum system? Well instead of positions −2 and 2 and one half prob- two. In other words the unitary trans-
specifying conditional probabilities of ability of being at position 0. Notice form we apply to flip the coin is speci-
a new configuration given an old con- here that the probability of reaching fied by the transition matrix
figuration, in a quantum system you zero was the sum of two probabili-
need to specify the conditional ampli- ties: the probability that the drunkard
tude of a new configuration given an got to 0 via 1 and the probability that
old configuration. In the quantum it got to 0 via −1. Random walks on (1)
world, the matrix of conditional ampli- structures more complicated than a
tudes has two major differences from line are a well-known tool in classical
the classical probabilistic setting. The algorithms.
first is that quantum systems evolve Suppose that we want to construct
reversibly and thus the matrix is 2n by a quantum version of this drunkard’s If we follow this prescription for a
2n (corresponding to the amplitude walk. To specify a quantum walk, we quantum random walk with the drunk-
of every configuration to change into need, instead of a probability for tak- ard initially positioned at zero, one
any other configuration). The second ing a step forward or backward, an quickly sees that something strange
is that, in order to preserve the sum amplitude for doing this. However we happens. Consider, for instance, the
of the squares of those amplitudes, also need to make sure that the unitary probability distribution formed by
which should be 1 throughout, this nature of quantum theory is respected. the quantum walk had we measured
matrix is a unitary matrix, meaning For example, you might think that the the walker’s position after three time
the entries of the matrix are complex quantum analogy of a classical walk is to steps (see Figure 2). Then the probabil-
numbers, and that the rows (and col- take a step forward and a step backward ity of getting to +1 for the drunkard is 1⁄8.
umns) of this matrix are orthonormal. with amplitude one over the square root For a classical walk the similar num-
Thus a quantum algorithm for a quan- of two (since squaring this gives a prob- ber would be 3⁄8. What is going on
tum system is given by a unitary matrix ability of one half). If we start at 0, then here? Well if you trace back how he
of conditional amplitudes. after one step this prescription works: could have gotten to +1 in three steps,
What consequence does this change we have equal amplitude of one over you’ll see that there are three paths it
from probabilities to amplitudes square root of two of being at either could have used to get to this position.
and from stochastic matrices to uni- 1 or −1. If we measure the walker after In the classical world each of these is
tary matrices have for the notion of this first step, the probability of being traversed with equal probability, add-
an algorithm? This is, of course, the at 1 or −1 is both one half. But if we run ing a contribution of 1⁄8 for each step.
F E B R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 87
review articles
Figure 2. Classical (top) and quantum (bottom) random walks. this requires :(N) queries to the
function f. Ambainis showed how a
The probability of reaching a particular point in space and time, given quantum random walk algorithm for
that we measure the position at that time, is listed on the vertices. this problem could be made to work
using O(N2/3) queries: an improvement
–5 –4 –3 –2 –1 0 1 2 3 4 5 –5 –4 –3 –2 –1 0 1 2 3 4 5 which has not been achieved using
0 1 0 1 any other quantum methods to date.
1/2 1/2 Space 1 1/2 1/2 Space
1 Other algorithms that admit speed-
2 1/4 1/2 1/4 2 1/4 1/2 1/4 ups of a similar nature by using quan-
3 1/8 3/8 3/8 1/8 3 1/8 5/8 1/8 1/8 tum random walks are spatial search
4 1/16 1/4 3/8 1/4 1/16 4 1/16 5/8 1/8 1/8 1/16 (searching a spatially d-dimensional
5 1/32 5/32 5/16 5/16 5/32 1/32 5 1/32 17/32 1/8 1/8 5/32 1/32 space),4 triangle finding,20 and verify-
ing matrix products.7 Quantum ran-
Time Time
dom walks algorithms, then, are a
powerful tool for deriving new quan-
tum algorithms.
But in the quantum world, two of these defined above is closely related to the These examples all achieved poly-
paths contribute equal but oppositely Dirac equation for a one-dimensional nomial speedups over the best pos-
to the amplitude to get to this position. electron (the Dirac equation is a way sible classical algorithms. Given that
In other words these two paths inter- to get quantum mechanics to play quantum random walks can be used
fere with each other. Because ampli- nicely with the special theory of rela- to polynomially outperform classical
tudes, unlike probabilities, don’t have tivity, and is a basic equation used in computers at some tasks, a natural
to be positive numbers, they can add modern quantum field theory). This question is whether quantum com-
up in ways that cancel out. This is the discovery that quantum algorithms puters can be used to exponentially
effect known as quantum interfer- seem to explore space quadratically outperform classical computers. The
ence. It is the same interference idea faster than classical random walks has answer to this question was first given
which you see when two water waves recently been shown to lead to quan- by Childs et al.,8 who showed that a
collide with each other. But note an tum algorithms that polynomially out- quantum random walk could traverse
important difference here: ampli- perform their classical cousins. a graph exponentially faster than any
tudes squared are probabilities. In One example of an algorithm based possible classical algorithm walking
water waves, the heights interfere, not upon quantum random walks is the on this graph. In Figure 3 we show the
anything related to the probabilities algorithm for element distinctness graph in question: the crux of the idea
of the waves. This is the peculiar effect due to Ambainis.3 The element dis- is that a quantum algorithm, by con-
of quantum interference. tinctness problem is, given a function structively or destructively interfering,
Quantum random walks were actu- f from {1, 2, …, N} to {1, 2, …, N} deter- can traverse this graph, while a clas-
ally first described by physicists in mine whether there exists two indices sical algorithm will always get stuck
1993,2 but only with the rise of interest i z j such that f (i) = f ( j). Classically in the middle of the graph. Construc-
in quantum computers was it asked
whether these walks could be used as Figure 3. An example of a graph arising in the quantum random walk problem
considered by Childs et al.8
a computational tool. An alternative,
continuous time version of these algo-
In this problem one is given access to a
rithms (tacking more closely to ideas function that takes as input a vertex and
in physics) has also been developed returns a list of the vertex’s neighbors. The
by Farhi and Gutmann.9 Given these goal of the problem considered by Childs et
al. is, by querying the function as few times
quantum random walks, a natural as possible, traverse from the start vertex
question is what does this have to do to the end vertex. The graphs considered
with algorithms? Well, the first obser- are two full binary trees pasted together
vation is that quantum random walks with a random cycle (in the example, the
cycle resides inside the dashed box) whose
behave in strange ways. For instance a roots are the start and end vertices. The
well-known property of classical ran- quantum algorithm starts at the start
vertex and then performs a quantum
Start End
dom walks on a line is that the expected
diffusion to the end vertex. The random
standard deviation of a random walk cycle in the middle does not destroy this
as a function of the number of steps diffusion, since all paths contribute equally
taken, T, scales like the square root to this diffusion. For a graph of depth d,
of T. However, for a quantum random the quantum walk will find the end vertex
by querying the local vertex function a
walk the standard deviation can actu- polynomial number of times in d. The best
ally spread linearly with T. Remarkably, classical algorithm can be shown to require
this difference has been well known querying the function for local vertex
information exponentially many times in d.
to physicists for a long time: it turns
out that the quantum random walk
tive interference refers to the condi- for player A, with its first move, to win for evaluating whether there is a win-
tion where quantum evolution causes the game. Evaluating whether this is ning strategy applies. This problem,
amplitudes to increase in absolute the case can be deduced inductively of which the NAND tree circuit is the
magnitude (and hence in probability) in the following way. Suppose player smallest example, is a central object in
while destructive interference refers to A makes the last move. Then player A the study of combinatorial games.
where the evolution causes amplitudes will be able to win if the marker is on One can now ask: how costly is it
to decrease in absolute magnitude a node with at least one of its children to evaluate the NAND tree: how many
(and hence decrease in probability). labeled “A wins” hence we should label nodes does one need to query in order
In spite of this success, the above such internal nodes with “A wins” as to compute the value of the NAND tree?
problem, traversing this graph, does well. This line of reasoning holds in One could evaluate every leaf and com-
not appear to have a good algorithmic general for all internal nodes on which pute the root, but certainly this is waste-
use. Thus a subject of great research A makes a move: as soon as one of its ful: if you ever encounter a subtree
interest today is whether there are children has the label “A wins,” then which evaluates to 0, you know that the
quantum random walk algorithms the node inherits the same conclu- parent of this subtree must evaluate to
that offer exponential speedups over sion. On the other hand, if none of the 1. A probabilistic recursive algorithm
classical algorithms for interesting children has this label, then we can is then easy to think up: evaluate a sub-
algorithmic problems. conclude that “B wins.” Player B will, tree by first evaluating randomly either
of course, be reasoning in a similar its left or right subtree. If this (left or
Quantum Algorithms manner. Thus we can see that player A right) subtree is 0, then the original
and Game Playing will win, starting from a node of height subtree must have value 1. If not, evalu-
Quantum interference, the ability of two, only if both of the children of the ate the other subtree. This method,
multiple computational paths to add node lead to positions where A wins. known as alpha–beta pruning, has a
or detract amplitudes and thus lower We can then proceed inductively using long history in artificial intelligence
and raise probabilities, is an effect this logic to evaluate whether player research. For the NAND tree, one can
well known to physicists. Given this, A can always win the game with a move show that by evaluating about :(N 0.753)
it is interesting to ask whether other originating from the root of the tree. of the N leaves one can calculate the
techniques from physicists toolbox If we label the leaves where player A value of the NAND tree with high prob-
might also be of use in algorithms. wins by 1 and where player B wins by 0, ability. It is also known that this value
A great example of this approach was then we can compute the value of the for the number of leaves needed to be
the recent discovery by Farhi et al.10 of root node (indicating whether player queried is optimal.
a quantum algorithm that outperforms A can always win) by representing For a long period of time it was
all possible classical algorithms for the interior layers of the tree by alter- uncertain whether quantum comput-
the evaluation of NAND tree circuits. nating layers of AND and OR gates. ers could perform better than this.
This algorithm was derived, amazingly, Further it is easy to see that one can Using standard lower bounding meth-
by considering the scattering of wave transform this from alternating layers ods, the best lower bound which could
packets off certain binary trees. As of AND and OR gates to uniform layers be proved was a O(N1/2), yet no quan-
a quintessential physics experiment of NAND (negated AND) gates, with a tum algorithm was able to achieve
involves shooting one quantum system possible flipping of the binary values such a speedup over the best classi-
at another and observing the resulting assigned to the leaves. cal algorithm. Enter onto the scene
scattered ‘outputs,’ physicists have We have just shown that the problem the physicists Farhi, Goldstone, and
developed a host of tools for analyz- of evaluating whether the first player Gutmann. These authors considered a
ing such scattering experiments. It has a series of moves that guarantees continuous quantum random walk of a
was this approach that led the above victory is equivalent to evaluating the strange form. They considered a quan-
authors to the following important value of a NAND tree circuit given a tum random walk on the graph formed
new quantum algorithm. labeling the leaves of the tree. Further, by a binary tree (of size related to the
To illustrate the NAND tree prob- if the player can evaluate any interior NAND tree being evaluated) attached
lem consider the following two player value of the NAND tree, then one can to a long runway (see Figure 4). They
game. The players are presented with a then use this to actually win the game. then showed how, if one constructed
complete binary tree of depth k. On the If such a procedure is available one an initial quantum system whose ini-
leaves of the tree are labels that declare can simply use the algorithm to evalu- tial state was that of a quantum system
whether player A or player B wins by ate the two trees and if one of them is moving to the right towards the binary
getting to this node. At the beginning always a win, take that move. Thus the tree, one could then obtain the value
of a match, a marker is placed at the problem of evaluating the value of the of the NAND tree by seeing whether
root of the tree. Players take alternat- NAND tree is of central importance for such a quantum system scattered back
ing turns moving this marker down a winning this game. The NAND tree is off the binary tree, or passed through
level in the tree, choosing one of the an example of the more general con- along the other side of the runway. The
two possible paths, with the goal, of cept of a game tree which is useful for time required to see this scattering or
course, of ending up at a leaf labeled study of many games such as Chess and lack of scattering was shown to be pro-
by the player’s name. A natural ques- Go. In these later games, more than two portional to O(N1/2). In other words, the
tion to ask is if it is always possible moves are available, but a similar logic NAND tree could be evaluated by using
Figure 4. The NAND tree algorithm of Farhi, Goldstone, and Gutmann.10 is defined on the same group. That
this does not have to be as abstract as
First, a tree is constructed where the presence or absence of leaves at the top of the tree corresponds it seems is illustrated in Figure 5 for
to the binary input values to the NAND tree problem. Next, a wavepacket is then constructed which, the group of three-dimensional rota-
if the tree were not attached, would propagate to the right. When the tree is attached, as shown, the tions and the icosahedral symmetry of
value of the NAND tree can be determined by running the appropriate quantum walk and observing
whether the wave packet passes to the right of the attached tree or is reflected backwards.
a soccer ball.
Given a group G the symmetry of a
function f defined on G can range from
the trivial (when only the identity of G
leaves f unchanged) to the maximum
possible symmetry where f remains
unchanged under all possible group
operations. The most interesting cases
happen when f is invariant under only
Answer a proper subgroup H of G and the task
of finding this H, given f, is known as
the hidden subgroup problem. For many
Wavepacket different types of groups we know how
to solve this problem efficiently on a
quantum computer, while no classical
algorithm can perform the same feat.
O(N1/2) time by scattering a wave packet symmetries. Here we review recent We claim that this is because quantum
off of a binary tree representing the progress in algorithms concerning computers can more efficiently exploit
NAND tree problem. A few simple mod- hidden symmetries. In many respects problems with hidden symmetries.
ifications can bring this in line with the these algorithms date back to the earli- To illustrate how quantum com-
standard computer scientists defini- est quantum algorithms, a connection puters are better suited to deal with
tion of a query algorithm for the NAND we first briefly review, before turning symmetries, let’s talk about the sim-
tree problem. Presto, out of a scattering to more modern ways in which this plest symmetry one can talk about: the
experiment, one can derive a quantum has influenced finding new quantum symmetry of flipping a bit. Consider
algorithm for the NAND tree problem algorithms. the operation X of negating a bit and
which gives a O(N1/2) algorithm outper- We say an object has symmetry if the identity operation I. If we perform
forming a classical computer science “we can do something to it without X twice, we obtain the operation I of
algorithm. Building upon this work, a changing it.” The things we can do are doing nothing at all, which shows that
variety of different trees with different described by the elements of a group I and X together form a group. Next,
branching ratios and degrees of being and the object itself is a function that consider representing how I and X
balanced have been explored show-
ing quantum speedups. Indeed one Figure 5. The symmetries of a soccer ball.
remarkable aspect of much of this work
is that while in many cases the classical
versions of these problems do not have
matching upper and lower bounds, in
the quantum case matching upper and
lower bounds can now be achieved.
operate on a classical probabilistic bit. effects of these symmetries. This, in a complex numbers. We would like to
Such a binary system is described by nutshell, is why quantum algorithms use a quantum version of the Fourier
a two-dimensional vector of prob- are better adapted to solve problems transform to extract the symmetry
abilities, corresponding to the prob- that involve symmetries. hidden in this function. Why the
ability p0 of being in 0 and p1 of being The idea that symmetry is the excel- Fourier transform? The answer to
in 1. The operations I and X can then sior of exponential quantum speed- this is that the Fourier transform is
be represented on this system as the ups now has considerable evidence in intimately related to the symmetry of
two-by-two matrices its favor and is one of the major moti- addition modulo N. In particular if we
vators for current research in quan- examine the process of addition where
tum algorithms. Shor’s algorithm we have performed a Fourier transform
for factoring works by converting the before the addition and an inverse
problem of finding divisors to that of Fourier transform after the addition,
finding periods of a function defined we will find that it is now transformed
In group theoretic parlance, we say that over the integers, which in turn is from an addition into multiplication
these two matrices form a represen- the problem of determining the trans- by a phase (a complex number z such
tation of the group, which effectively lational symmetries of this function. that |z| = 1). Addition can be repre-
means that the multiplication among In particular Shor’s algorithm works sented on a quantum computer as
these matrices mimics the operation by finding the period of the function a permutation matrix: a matrix with
among the elements of the group that f (x) = r x mod N where r is a random only a single one per column and row
is being represented. number coprime with N, the number of the matrix. If we examine how such
But now notice how the matrices one wishes to factor. If one finds the a matrix looks in the basis change
for I and X act on the vector space !2. period of this function, i.e. the smallest given by the Fourier transform, then
Naturally, the identity matrix I leaves nonzero p such that f (x) = f (x + p), we see that this matrix only has entries
all vectors unchanged, but the X then one has identified a p such on the diagonal of the matrix. Thus
matrix acts in a more interesting way. that xp = 1 mod N. If p is even (which the Fourier transform is exactly the
If X acts on the symmetric vector [1, 1], happens with constant probability unitary transform which one can use
then, like I, it preserves this vector. If, for random x), then p/
we can p/
express to “diagonalize the addition matrix”
on the other hand, X operates upon this equation as (x 2 + 1) (x 2 − 1) = 0 with respect to the symmetry of addi-
the vector [1, −1], then it multiplies mod N. This implies thatp/
the greatest tion, which in turn is exactly the form
this vector by −1. This new vector common divisor of x 2 + 1 and pN or of the symmetry needed for period
/
[−1, 1] still sits in the one-dimensional the greatest common divisor of x 2 − 1 finding.
subspace spanned by the original and N is a divisor of N. One can then The output of the quantum Fourier
[1, −1], but the direction of the vec- use the Euclidean algorithm to find a transformation will reveal to us which
tor has been reversed. In other words, factor of N (should it exist). Thus one symmetries the state has, and by re-
the act of flipping a bit can naturally can efficiently factor assuming one peating this Fourier sampling a few
be represented down into its action can find the period p of f (x). This fact times we will be able to learn the exact
upon two one-dimensional sub- was known before Shor’s discovery; subgroup that the state hides, thus giv-
spaces: on the first of these the group the task of determining the period p is ing us the period p (and hence allowing
always acts trivially, while on the other what requires a quantum computer. us to factor). Crucially the quantum
it always acts by multiplying by the How then, can a quantum algo- Fourier transform can be implemented
scalar −1. Now we can see why clas- rithm find the period p of a function on a number of qubits logarithmic in
sical probabilistic information is at f ? The answer is: by exploiting the the size of the addition group, log N,
odds with this symmetry: while we just described friendly relationship and in a time polynomial in log N as
can create a symmetric probability between quantum mechanics and well. If one were to attempt to mimic
distribution [–12 , –12] wherein the bit flip group theory. One starts with a system Shor’s algorithm on a classical com-
X preserves this distribution, we can- of two quantum registers, call them puter, one would need to perform a
not create the other probability dis- left and right. These are prepared into Fourier transform on N classical pieces
tribution that transforms according a state where with equal amplitude of data, which would require N log N
to the multiplication by −1: doing so the left register contains a value x and time (using the fast Fourier transform).
would require that we have negative the right register carries the corre- In contrast, because Shor’s quantum
probabilities. But wait, this is exactly sponding function value f (x). The hid- algorithm acts on quantum ampli-
what the amplitudes of quantum den symmetry of this state is captured tudes, instead of on classical con-
computers allow you to do: to prepare by the fact that it remains unchanged figuration data, it leads to an efficient
and analyze quantum information in if we would and p (or a multiple of p) quantum algorithm for factoring.
all the relevant subspaces associated to the left register; adding a non- This symmetry analysis results
with group operations such as flip- multiple of p will, on the other hand, from the basics of the theory of group
ping a bit. Unlike classical comput- change the state. To extract this hid- representation theory: symmetries are
ers, quantum computers can analyze den symmetry, let us view the ampli- described by groups, and the elements
symmetries by realizing the unitary tudes of the state as the values of of these groups can be represented by
transforms which directly show the a function from n bit strings to the unitary matrices. This is something
that classical probabilistic computers category. Among them, however, are the (by now we know of many non-Abelian
cannot exploit: the only way to repre- problems of graph isomorphism and groups over which the hidden subgroup
sent a group on a classical computer certain shortest-vector in a lattice prob- problem can be solved efficiently), this
is to represent it as by deterministic lems. Might quantum computers help problem remains one of the outstand-
permutation. But while a group can at solving these problems efficiently? ing problems in the theory of quantum
be represented by unitary matrices, no Soon after Shor’s algorithm was algorithms.
such representation is possible using phrased as a hidden subgroup prob- At the same time, going back to
stochastic matrices. This, at its heart, lem, it was realized that if you could the Abelian groups, there has been
appears to be one of the key reasons efficiently solve the hidden subgroup quite some success in finding new
that quantum computers offer expo- problem over the symmetric group applications of the quantum algorithm
nential benefits for some problems (the group of permutations of n objects), for the Abelian hidden subgroup prob-
over classical computers. then you would have an efficient quan- lem, besides factoring and discrete log-
Given that Shor’s algorithm exploits tum algorithm that solves the graph arithms. Hallgren14 showed that there
symmetry in such a successful way, it isomorphism problem. Further, Regev22 exists a quantum algorithm for solving
is natural to search for other problems showed how the hidden subgroup prob- Pell’s equation (that is, finding integer
that involve hidden symmetries. Follow- lem over the dihedral group (the group solutions x, y to the cubic equation x2 −
ing Shor’s discovery it was quickly of symmetries of a regular polygon dy2 = 1, see Table 1), while Kedlaya15 has
realized that almost all prior quantum where one can not only rotate but also described a quantum procedure that
algorithms could be cast in a unifying flip the object) relates to finding short efficiently counts the number points
form as solving the hidden subgroup vectors in a high dimensional lattice. of curves defined over finite fields.
problem for one group or the other. Hence a hypothetical efficient quantum Furthermore, other efficient quantum
For Shor’s algorithm the relevant group algorithm for this dihedral case could algorithm has been found for, among
is the group of addition modulo N. be used to solve such shortest vector other problems, determining the struc-
For the discrete logarithm problem the problems. This in turn would break the ture of black box groups, estimating
relevant group is the direct product public key cryptosystems that are based Gauss sums, finding hidden shifts, and
of the groups of addition modulo N. upon the hardness of these lattice prob- estimating known invariants.
Indeed it was soon discovered that lems, which are among the very few
for all finite Abelian groups (Abelian cryptosystems not broken by Shor’s Simulating Quantum Physics
groups are those whose elements all algorithm. As a result of these observa- A final area in which quantum algo-
commute with each other) quantum tions about the non-Abelian hidden rithms have made progress goes back
computers could efficiently solve the subgroup problem, designing quantum to the very roots of quantum computing
hidden subgroup problem. A natural algorithms for such groups has become and indeed of classical computing itself.
follow-up question is: what about the an important part of the research in From their earliest days, computers
non-Abelian hidden subgroup prob- quantum computation. While a certain have been put to use in simulating phys-
lem? And, even more importantly, amount of progress has been achieved ics. Among the difficulties that were
would such an algorithm be useful for
any natural problems, as the Abelian Table 1. Some examples of integer solutions (x, y) to Pell’s equation x2 − dy2 = 1
for different values d.
hidden subgroup problem is useful for
factoring?
Such solutions tell us what the units are of the number field Q[÷ ÷
`d] (the rational numbers extended
One of the remarkable facts about with the irrational ÷ ÷
`d) and thereby solve the unit group problem. Hallgren’s result shows how this
the problem of factoring is its inter- problem can be solved efficiently on a quantum computer, while no such algorithm is known for
mediate computational complexity. classical computers.
Indeed, if one examines the decision d x y
version of the factoring problem, one
2 3 2
finds that this is a problem which is in
the complexity class NP and in the com- 3 2 1
plexity class Co-NP. Because of this fact 5 9 4
it is thought to be highly unlikely that it .
:
is NP-complete, since if it were, then the
13 649 180
polynomial hierarchy would collapse in
a way thought unlikely by complexity 14 15 4
.
theorists. On the other hand, there is :
no known classical algorithm for fac- 6,009 1,316,340,106,327,253,158 1,698,114,661,157,803,451
toring. Thus factoring appears to be of 9,259,446,951,059,947,388 6,889,492,378,831,465,766
Goldilock’s complexity: not so hard as
4,013,975 | 1.3 × 1044 81,644 | 1.6 × 1042
to revolutionize our notion of tractabil-
ity by being NP-complete, but not so 6,013 40,929,908,599 527,831,340
.
easy as to admit efficient classical solu- :
tion. There are, surprisingly, only a few
problems which appear to fit into this
soon encountered in such simulations One of the exciting findings in studying 5. Aspuru-Guzik, A., Dutoi, A., Love, P.J., Head-Gordon,
M. Simulated quantum computation of molecular
was that quantum systems appeared to this problem was that a small quantum energies. Science 309, 5741 (2005).
be harder to simulate than their classi- computer, consisting of only a few hun- 6. Bell, J.S. On the Einstein Podolsky Rosen paradox.
Physics 1, (1964), 195.
cal counterparts. But, of course, some- dred qubits, could already outperform 7. Buhrman, H. Špalek, R. Quantum verification of matrix
how nature, which obeys quantum the best classical algorithms for this products. In Proceedings of the 17th Annual ACM-
SIAM Symposium on Discrete Algorithms (2006), 880.
theory, is already carrying out “the sim- problem. This small number makes it 8. Childs, A.M., Cleve, R., Deotto, E., Farhi, E., Gutmann,
ulation” involved in quantum physics. likely that among the first applications S., Spielman, D.A. Exponential algorithmic speedup
by quantum walk. In Proceedings of the 35th ACM
So, if nature is carrying out the simula- of a quantum computer will not be fac- Symposium on Theory of Computing (2003), 59–68.
tion, then should we be able to design toring numbers, but instead will be in 9. Farhi, E., Gutmann, S. Quantum computation and
decision trees. Phys. Rev. A 58 (1998), 915.
a computer that also can perform this simulating quantum physics. Indeed, 10. Farhi, E., Goldstone, J., Gutmann, S. A quantum
simulation? This was in fact the seed of we believe that a quantum computer will algorithm for the Hamiltonian NAND tree. Eprint
arXiv:quant-ph/0702144, 2007.
the idea that led to the original notion of be able to efficiently simulate my possi- 11. Feynman, R. Simulating physics with computers. Intl.
quantum computing by Feynman.11 ble physical system and that it therefore J. Theor. Phys. 21 (1982), 467–488.
12. Grover, L. A fast quantum mechanical algorithm for
To put this in perspective, consider has the potential to have a huge impact database search. In Proceedings of the 28th Annual
ACM Symposium on the Theory of Computation
the problem of simulating classical on everything from drug discovery to the (New York, 1996). ACM, 212–219.
physics. The miracle of reproducing rapid development of new materials. 13. Häffner, H., Hänsel, W., Roos, C.F., Benhelm, J., al kar,
D.C., Chwalla, M., Körber, T., Rapol, U.D., Riebe, M.,
classical physics on a classical com- Schmidt, P.O., Becher, C., Gühne, O., Dür, W., Blatt,
puter is that you can use many ‘par- Conclusion R. Scalable multiparticle entanglement of trapped
ions. Nature 438 (2005), 643.
ticles’ with small state spaces (bits) to The discovery that quantum comput- 14. Hallgren, S. Polynomial-time quantum algorithms
mimic a few particles that have very ers could efficiently factor is, even for pell’s equation and the principal ideal problem.
In Proceedings of the 34th Annual ACM Symposium
large state spaces. For this to be pos- today, difficult to really appreciate. on the Theory of Computation (New York, 2002).
sible it is required that the number of There are many ways to get out of the
ACM, 653–658.
15. Kedlaya, K.S. Quantum computation of zeta functions
bit configurations, 2(number of bits), is at conundrum posed by this discovery, of curves. Comput. Complex. 15, 1–19 (2006).
least as big as the number of possible but all of these will require a funda-
16. Kitaev, A. Quantum error correction with imperfect
gates. In Quantum Communication, Computing and
states of the physical system (which mental rewriting of our understanding Measurement (New York, 1997). Plenum, 181–188.
is the size of the particle’s state space 17. Knill, E., Laflamme, R., Zurek, W.H. Resilent quantum
of either physics or computer science. computation. Science 279 (1998), 342–345.
exponentiated with the number of One possibility is that quantum com- 18. Knill, E., Laflamme, R., Zurek, W.H. Resilient quantum
particles). As a result, we can simulate computation: error models and thresholds. Proc. Roy.
puters cannot be built because quan- Soc. Lond. Ser. A 454 (1998), 365–384.
the solar system on a laptop. tum theory does not really hold as a 19. Leibfried, D., Knill, E., Seidelin, S., Britton, J.,
Blakestad, R.B., Chiaverini, J., Hume, D.B., Itano,
Quantum computing does the same universal theory. Although disappoint- W.M., Jost, J.D., Langer, C., Ozeri, R., Reichle,
thing for quantum mechanical systems; ing for quantum computer scientists, R., Wineland, D.J. Creation of a six-atom
‘Schrödinger cat’ state. Nature 438 (2005), 639.
now 2(number of qubits) is the dimension of such a conclusion would be a major 20. Magniez, F., Santha, M., Szegedy, M. Quantum
the state space and it allows us to simu- discovery about one of the best tested algorithms for the triangle problem. In Proceedings
of the 16th Annual ACM SIAM Symposium on
late other quantum physical systems physical theories—quantum theory. Discrete Algorithms (2005), 1109.
that consists of few particles with expo- Perhaps there is a classical algorithm 21. Nielsen, M.A. Chuang, I.L. Quantum Computation
and Quantum Information. Cambridge University
nentially large state spaces. Here how- for efficiently factoring integers. This Press, New York, 2000.
ever, it appears essential that we rely would be a major computer science
22. Regev, O. Quantum computation and lattice
problems. In 43rd Symposium on Foundations of
on quantum computing components discovery and would blow apart our Computer Science (IEEE Computer Society, 2002),
in order to simulate the truly quantum modern public key cryptography. Or
520–529.
23. Rivest, R.L., Shamir, A., Adleman, L. A method
mechanical components of a physical perhaps, just perhaps, quantum com- of obtaining digital signatures and public-key
system. A crucial question therefore is: cryptosystems. Commun. ACM 21 (1978), 120–126.
puters really are the true model of 24. Shor, P.W. Algorithms for quantum computation:
which physical systems are interesting computing in our universe, and the Discrete log and factoring. In Proceedings of the
to simulate in such a manner? 35th Annual Symposium on the Foundations of
rules of what is efficiently computable Computer Science. S. Goldwasser, ed. (Los Alamitos,
While the complete answer to this have changed. These are the dreams CA, 1994). IEEE Computer Society, 124–134.
25. Shor, P.W. Fault tolerant quantum computation.
question is not known, a deeper look of quantum computer scientists look- In Proceedings of the 37th Symposium on the
at quantum algorithms for simulating ing for quantum algorithms on the Foundations of Computer Science (Los Alamitos, CA,
1996), IEEE, 56–65.
quantum physics is now being under- quantum machines they have yet to be 26. Woehr, J. Online interview “A Conversation with
taken in several places. As an example, a quantum programmed. Christos Papadimitriou”. Dr. Dobb’s J. July Dave
Bacon is an assistant research professor in the
group of physical chemists have recently Department of Computer Science and Engineering,
compared how useful quantum comput- Department of Physics, at the University of
Washington, Seattle.
ers would be for computing the energy References
1. Aharonov, D., Ben-Or, M. Fault-tolerant quantum
level structure of molecular systems.5 computation with constant error rate. In
This is a classical problem of physical Proceedings of the Twenty-Ninth Annual ACM Dave Bacon (dabacon@cs.washington.edu) is an assistant
Symposium on Theory of Computing (1997). ACM, research professor in the Department of Computer Science
chemistry, and our inability to perform 176–188. & Engineering, Department of Physics, University of
these calculations robustly for large 2. Aharonov, Y., Davidovich, L., Zagury, N. Quantum Washington, Seattle, WA.
random walks. Phys. Rev. A 48, 167 (1993).
molecules is a bottleneck in a variety 3. Ambainis, A. Quantum walk algorithm for Wim van Dam (vandam@cs.ucsb.edu) is an associate
element distinctness. SIAM J. Comput. 37 professor in the Department of Computer Science,
of chemical and biological applica- (2007), 210. Department of Physics, University of California, Santa
tions. Could quantum computers help 4. Ambainis, A., Kempe, J., Rivosh, A. Coins make Barbara, Santa Barbara, CA.
quantum walks faster. In Proceedings of the
for solving this problem and outper- 16th Annual ACM SIAM Symposium on Discrete
forming the best classical algorithms? Algorithms (2005), 1099. © 2010 ACM 0001-0782/10/0200 $10.00
But in about the same time it takes to enjoy a cup of coffee, you can learn more about your
ACM-sponsored group insurance program — a special member benefit that can help provide
you financial security at economical group rates.
Take just a few minutes today to make sure you’re properly insured.
Call Marsh Affinity Group Services at 1-800-503-9230 or visit www.personal-plans.com/acm.
AG5217
research highlights
P. 96 P. 97
Technical Faster Dimension Reduction
Perspective By Nir Ailon and Bernard Chazelle
Strange Effects
in High Dimension
By Sanjoy Dasgupta
P. 105 P. 106
Technical Post-Silicon Bug Localization
Perspective
Want to be for Processors Using IFRA
a Bug Buster? By Sung-Boem Park and Subhasish Mitra
By Shekhar Y. Borkar
F EB R UA RY 2 0 1 0 | VO L. 53 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 95
research highlights
DOI:10.1145/ 1646353.1 6 46 3 78
large numbers. Each sample corresponds to a dimension. set Rd endowed with a norm, where the norm of a vector
The beauty of the scheme is that we can now use it to han- x (written as __x__p) is given by (6di 1|xi|p)1/p. The metric is
dle many distances at once. given by the distance between pairs of vectors x and y
It is easy to see that randomness is necessary if we hope taken to be __x − y__p.)
to make meaningful use of the reduced data; otherwise Embedding into tree metrics (where the distance
we could be given as input a set of vectors belonging to between two nodes is defined by the length of the path
the kernel of any fixed matrix, thus losing all information. joining them) is useful for solving network design opti-
The size of the distortion as well as the failure probability are mization problems.
user-specified parameters that determine the target (low)
dimension. How many dimensions are sufficient? Careful The JL algorithm linearly embeds an input which is
quantitative calculation reveals that, if all we care about already in a high-dimensional Euclidean space !2d into a
is distances between pairs of vectors and angles between lower-dimensional !pk space for any p t 1, and admits a naïve
them—in other words, the Euclidean geometry of the data— implementation with O(dk) running time per data vector; in
then a random linear mapping to a space of dimension loga- other words, the complexity is proportional to the number
rithmic in the size of the data is sufficient. This statement, of random matrix elements.
which we formalize in Section 1.1, follows from Johnson Our modification of JL is denoted FJLT, for Fast-
and Lindenstrauss’s seminal work.25 The consequence Johnson–Lindenstrauss-Transform. Although JL often works
is quite powerful: If our database contains n vectors in well, it is the computational bottleneck of many applica-
d dimensions, then we can replace it with one in which data tions, such as approximate nearest neighbor searching.24, 27
contains only log n dimensions! Although the original paper In such cases, substituting FJLT yields an immediate
was not stated in a computational language, deriving a naïve improvement. Another benefit is that implementing FJLT
pseudocode for an algorithm implementing the idea in that remains extremely simple. Later in Section 3 we show how
paper is almost immediate. This algorithm, which we refer FJLT helps in some of the applications mentioned above.
to as JL for brevity, has been studied in theoretical com- Until then, we concentrate on the story of FJLT itself, which
puter science in many different contexts. The main theme is interesting in its own right.
in this study is improving efficiency of algorithms for high-
dimensional geometric problems such as clustering,37 near- 1.1. A brief history of a quest for a faster JL
est neighbor searching,24, 27 and large scale linear algebraic Before describing our result, we present the original JL
computation.18, 28, 35, 36, 38 result in detail, as well as survey results related to its com-
For many readers it may be obvious that these algorithms putational aspects. We begin with the central lemma
are directly related to widely used technologies such as web behind JL.25 The following are the main variables we will be
search. For others this may come as a surprise: Where does manipulating:
a Euclidean space hide in a web full of textual documents? X—a set of vectors in Euclidean space (our input data-
It turns out that it is very useful to represent text as vectors set). In what follows, we use the term points and vectors
in high-dimensional Euclidean space.34 The dimension in interchangeably.
the latter example can be as high as the number of words n—the size of the set X.
in the text language! d—the dimension of the Euclidean space (typically
This last example illustrates what a metric embedding is: very big).
a mapping of objects as points in metric spaces. Computer k—the dimension of the space we will reduce the points
scientists care about such embeddings because often it is in X to (ideally, much smaller than d).
easier to design algorithms for metric spaces. The sim- e—a small tolerance parameter, measuring to what is
pler the metric space is, the friendlier it is for algorithm the maximum allowed distortion rate of the metric space
design. Dimensionality is just one out of many measures of induced by the set X in Euclidean m-space (the exact defini-
simplicity. We digress from JL by mentioning a few impor- tion of distortion will be given below).
tant results in computer science illustrating why embed- In JL, we take k to be ce −2 log n, for some large enough
ding input in simple metric spaces is useful. We refer the
reader to Linial et al.29 for one of the pioneering works in
the field. Figure 1. Embedding a spherical metric onto a planar one is no easy
task. The latter is more favorable as input to printers.
The Traveling Salesman Problem (TSP), in which
one wishes to plan a full tour of a set of cities, with
given costs of traveling between any two cities is
an archetype of a computational hardness which
becomes easier if the cities are embedded in a metric
space,14 and especially in a low-dimensional Euclidean
one.7, 30
Problems such as combinatorial optimization on
graphs become easier if the nodes of the graph can be
embedded in !1 space. (The space !pd is defined to be the
FE B R UA RY 2 0 1 0 | VO L . 5 3 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 99
research highlights
frustration on the face of any musician who has to wrestle The matrices P and D are chosen randomly whereas H is
with the delay from a digital synthesizer can be attributed to deterministic:
the Uncertainty Principle.
Before we show how to use this principle, we must stop P is a k-by-d matrix. Each element is an independent
and ask: what are the tools we have at our disposal? We may mixture of 0 with an unbiased normal distribution of
write the matrix ) as a product of matrices, or, algorithmi- variance 1/q, where
cally, apply a chain of linear mappings on an input vector.
With that in mind, an interesting family of matrices we can
apply to an input vector is the orthogonal family of d-by-d
matrices. Such matrices are isometries: The Euclidean geom-
etry suffers no distortion from their application. In other words, Pij ∼ N(0, 1/q) with probability q, and
With this in mind, we precondition the random k-by-d map- Pij 0 with probability 1 − q.
ping with a Fourier transform (via an efficient FFT algorithm) H is a d-by-d normalized Walsh–Hadamard matrix:
in order to isometrically densify any sparse vector. To prevent
the inverse effect, i.e., the sparsification of dense vectors, Hij d–1/2 (–1)〈i –1, j –1〉,
we add a little randomization to the Fourier transform (see
Section 2 for details). The reason this works is because sparse where 〈i, j〉 is the dot-product (modulo 2) of the m-bit
vectors are rare within the space of all vectors. Think of them vectors i, j expressed in binary.
as forming a tiny ball within a huge one: if you are inside the D is a d-by-d diagonal matrix, where each Dii is drawn
tiny ball, a random transformation is likely to take you outside; independently from {−1, 1} with probability 1/2.
on the other hand, if you are outside to begin with, the trans-
formation is highly unlikely to take you inside the tiny ball. The Walsh–Hadamard matrix corresponds to the discrete
The resulting FJLT shares the low-distortion characteris- Fourier transform over the additive group GF (2)d: its FFT is
tics of JL but with a lower running time complexity. very simple to compute and requires only O(d log d) steps.
It follows that the mapping )x of any point x ∈ !d can be
2. THE DETAILS OF FJLT computed in time O(d log d + |P|), where |P| is the number
In this section we show how to construct a matrix ) drawn of nonzero entries in P. The latter is O(e −2 log n) not only on
from FJLT and then prove that it works, namely: average but also with high probability. Thus we can assume
that the running time of O(d log d + qde −2 log n) is worst-case,
1. It provides a low distortion guarantee. (In addition to and not just expected.
showing that it embeds vectors in low-dimensional !2k , The FJLT Lemma. Given a fixed set X of n points in Rd, e < 1, and
we will show it also embeds in !k1.) p {1, 2}, draw a matrix ) from FJLT. With probability at least
2. Applying it to a vector is efficiently computable. 2/3, the following two events occur:
The first property is shared by the standard JL and its vari- 1. For any x X,
ants, while the second one is the main novelty of this work.
y ( y1,..., yk)T Pu )x. Proof: The case q 1 is trivial because Z is constant and equal
to 1. So we assume q 1/(em) < 1. It is easy to verify that E[Zt]
The vector y is the final mapping of x using ). It is useful is a convex function of u2, and hence achieves its maximum
to consider each coordinate of y separately. All coordinates at a vertex of *. So it suffices to prove the moment upper
share the same distribution (though not as independent bounds for Z*, which conveniently behaves like a (scaled)
random variables). Consider y1. By definition of FJLT, it is binomial. By standard bounds on the binomial moments,
obtained as follows: Pick random i.i.d. indicator variables
b1, …, bd, where each bj equals 1 with probability q; then draw
random i.i.d. variables r1, …, rd from N(0, 1/q). Set y1 6jd 1 rj bj uj
and let Z 6jd 1 bju2j . It can be shown that the conditional vari- proving the first part of the lemma.
able ( y1|Z z) is distributed N(0, z/q) (this follows a well By Jensen’s inequality and (4),
known fact known as the 2-stability of the normal distri-
bution). Note that all of y1, …, yk are i.i.d. (given u), and we
can similarly define corresponding random i.i.d. variables
Z1( Z), Z2, . . . , Zk. It now follows that the expectation of Z
satisfies: This proves the upper-bound side of the second part of the
lemma. To prove the lower-bound side, we notice that
(4) is a concave function of u2, and hence achieves its minimum
when u u*. So it suffices to prove the desired lower bound
for . Since for all x t 0,
Let u2 formally denote (u12, . . . , ud2) (R+)d. By our assump-
tion that (3) holds, u2 lies in the d-dimensional polytope:
(6)
By (4), E[Z*/q −1] 0 and, using (5), k ensures that, for any x X, __)x__1 __y__1 deviates from its
mean by at most e with probability at least 0.95. By (7), this
implies that kE[_ y1_] is itself concentrated around a
with a relative error at most e; rescaling e by a constant fac-
tor and ensuring (3) proves the !1 claim of the first part of the
Plugging this into (6) shows that , as FJLT lemma.
desired.
The !2 case: We set
Since the expectation of the absolute value of N(0, 1)
is , by taking conditional expectations, we find
that
On the other hand, by Lemma 1, we note that Lemma 2. With probability at least ,
where U ∼ N(0,1). It is well known that E[|U|t] (t)t/2; and so, is convex, hence achieves its maximum at the vertices
by Lemma 1, of the polytope * (same as in the proof of Lemma 1).
As argued before, therefore, E[elZ] d E[elZ*]. We conclude
the proof of the first part with a union bound on stan-
dard tail estimates on the scaled binomial Z* that we
It follows that the moment generating function satisfies derive from bounds on its moment generating function
E[el Z*] (e.g., Alon and Spencer6). For the second part, let
S 6ik 1 Zi. Again, the moment generating function of S is
bounded above by that of S* ∼ m−1B(mk, q)—all Zi’s are
distributed as Z*—and the desired concentration bound
follows.
Therefore, it converges for any 0 d O < O0, where O0 is an abso- We assume from now on that the premise of Lemma
lute constant, and 2 holds for all choices of x X. A union bound shows
that this happens with probability of at least 0.95. For each
i 1,…,k the random variable is distributed as c2 with
one degree of freedom. It follows that, conditioned on Zi,
the expected value of y2i is Zi/q and the moment generating
Using independence, we find that function of y2i is
Meanwhile, Markov’s inequality and (7) imply that Given any 0 < l < l0, for fixed l0, for large enough x, the
moment generating function converges and is equal to
We use here the fact that Zi/q O(1), which we derive from
the first part of Lemma 2. By independence, therefore,
for some O 4(e). The constraint O < O0 corresponds to e
being smaller than some absolute constant. The same argu-
ment leads to a similar lower tail estimate. Our choice of
Running Time: The vector Dx requires O(d) steps, since D is 3.2. Fast approximation of large matrices
diagonal. Computing H(Dx) takes O(d log d) time using the FFT Large matrices appear in virtually every corner of science.
for Walsh–Hadamard. Finally, computing P(H Dx) requires Exact algorithms for decomposing or solving for large
O(|P|) time, where |P| is the number of nonzeros in P. This matrices are often inhibitively expensive to perform. This
number is distributed in B(nk, q). It is now immediate to verify may change given improvements in matrix multiplication
that technology, but it appears that we will have to rely on matrix
approximation strategies for a while, at least in the general
case. It turns out that FJLT and ideas inspired by it play an
A Markov bound establishes the desired complexity of the important role in recent developments.
FJLT. This concludes our sketch of the proof of the FJLT We elaborate on an example from a recent solution of
lemma. Sarlós36 to the problem of !2 regression (least square fit of an
overdetermined linear system). Prior to that work (and ours),
3. APPLICATIONS Drineas et al.18 showed that, by downsampling (choosing
only a small subset and discarding the rest) from the set of
3.1. Approximate nearest neighbor searching equations of the linear regression, an approximate solution
Given a metric space (U, dU) and a finite subset (database) to the problem could be obtained by solving the downsam-
P U, the problem of e-approximate nearest neighbor (e-ANN) pled problem, the size of which depends only on the dimen-
searching is to preprocess P so that, given a query x U, sion d of the original solution space. The difficulty with this
a point p P satisfying method is that the downsampling distribution depends on
norms of rows of the left-singular vector matrix of the origi-
nal system. Computing this matrix is as hard as the original
regression problem and requires O(m2d) operations, with m
can be found efficiently. In other words, we are interested in the number of equations. To make this solution more prac-
a point p further from x by a factor at most (1 + e) of the dis- tical, Sarlós observed that multiplying the equation matrix
tance to its nearest neighbor. on the left by the m × m orthogonal matrix HD (as defined
This problem has received considerable attention. There above in the definition of FJLT) implicitly multiplies the left-
are two good reasons for this: (i) ANN boasts more applica- singular vectors by HD as well. By an analysis similar to the
tions than virtually any other geometric problem23; (ii) allow- one above, the resulting left-singular matrix can be shown to
ing a small error e makes it possible to break the curse of have almost uniform row norm. This allows use of Drineas
dimensionality.24, 27 et al.’s ideas with uniform sampling of the equations. Put
There is abundant literature on (approximate) near- together, these results imply the first o(m2d) running time
est neighbor searching.8–10, 12, 13, 15, 16, 19, 21–24, 26, 27, 33, 39, 40 The solution for worst-case approximate !2 regression.
In a recent stream of papers, authors Liberty, Martinsson, Administration, Carnegie-Mellon 28. Liberty, E., Woolfe, F., Martinsson, P.-G.,
University, Pittsburgh, 1976, 388. Rokhlin, V., Tygert, M. Randomized
Rokhlin, Tygert and Woolfe28, 35, 38 design and analyze fast 15. Clarkson, K.L. An algorithm for algorithms for the low-rank
algorithms for low-dimensional approximation algorithms of approximate closest-point queries. approximation of matrices. Proc. Natl.
In Proceedings of the 10th Annual Acad. Sci. (PNAS) 104, 51 (2007),
matrices, and demonstrate their application to the evaluation ACM Symposium on Computational 20167–20172.
of the SVD of numerically low-rank matrices. Their schemes Geometry (SoCG) (1994), 160–164. 29. Linial, N., London, E., Rabinovich, Y.
16. Clarkson, K.L. Nearest neighbor The geometry of graphs and some
are based on randomized transformations akin to FJLT. queries in metric spaces. Discrete of its algorithmic applications.
Comput. Geometry 22, 1 (1999), Combinatorica 15, 2 (1995), 215–245.
63–93. 30. Mitchell, J.S.B. Guillotine subdivisions
4. BEYOND FJLT 17. DasGupta, S., Gupta, A. An approximate polygonal subdivisions:
elementary proof of the Johnson– A simple new method for the
The FJLT result gives rise to the following question: What is Lindenstrauss lemma. Technical geometric k-MST problem. SIAM J.
a lower bound, as a function of n, d and e, on the complexity Report, UC Berkeley, 1999, 99–106. Comput. 28, 4 (1999), 1298–1309.
18. Drineas, P., Mahoney, M.W., 31. Morgenstern, J. Note on a lower
of computing a JL-like random linear mapping? By this we Muthukrishnan, S. Sampling bound on the linear complexity of the
mean a mapping that distorts pairwise Euclidean distances algorithms for !2 regression and fast fourier transform. J. ACM 20, 2
applications. In Proceedings of the (1973), 305–306.
among any set of n points in d dimension by at most 1 ± e. 17th Annual ACM-SIAM Symposium 32. Morgenstern, J. The linear complexity
The underlying model of computation can be chosen as a on Discrete Algorithms (SODA) of computation. J. ACM 22, 2 (1975),
(Miami, FL, United States, 2006). 184–194.
linear circuit,32 manipulating complex-valued intermedi- 19. Farach-Colton, M., Indyk, P. 33. Muthukrishnan, S., Sahinalp, S.C.
ates by either adding two or multiplying one by (random) Approximate nearest neighbor Simple and practical sequence
algorithms for Hausdorff metrics via nearest neighbors with block
constants, and designating n as input and k O(e −2 log n) as embeddings. In Proceedings of the operations. In Proceedings of the 13th
output (say, for p 2). It is worth observing that any lower 40th Annual IEEE Symposium on Annual Symposium on Combinatorial
Foundations of Computer Science Pattern Matching (CPM) (2002),
bound in :(e −2 log n min{d, log2 n}) would imply a simi- (FOCS) (1999), 171–180. 262–278.
lar lower bound on the complexity of computing a Fourier 20. Frankl, P., Maehara, H. The Johnson– 34. Papadimitriou, C., Raghavan, P.,
Lindenstrauss lemma and the Tamaki, H., Vempala, S. Latent
transform. Such bounds are known only in a very restricted sphericity of some graphs. J. Comb. semantic indexing: A probabilistic
Theory Ser. A 44 (1987), 355–362. analysis. In Proceedings of the 17th
model31 where constants are of bounded magnitude. 21. Indyk, P. On approximate nearest Annual Symposium of Database
As a particular case of interest, we note that, whenever neighbors in non-Euclidean spaces. Systems (1998), 159–168.
In Proceedings of the 39th Annual 35. Rokhlin, V., Tygert, M. A fast
k O(d1/3), the running time of FJLT is O(d log d). In a more IEEE Symposium on Foundations of randomized algorithm for
recent paper, Ailon and Liberty3 improved this bound and Computer Science (FOCS) (1998), overdetermined linear least-squares
148–155. regression. Proceedings of the
showed that it is possible to obtain a JL-like random mapping 22. Indyk, P. Dimensionality reduction National Academy of Science (PNAS)
in time O(d log d) for k O(d1/2 −d ) and any d > 0. Their trans- techniques for proximity problems. 105, 36 (2008), 13212–13217.
In Proceedings of the 11th Annual 36. Sarlós, T. Improved approximation
formation borrows the idea of preconditioning a Fourier ACM-SIAM Symposium on Discrete algorithms for large matrices via
transform with a random diagonal matrix from FJLT, but Algorithms (SODA) (2000), 371–378. random projections. In Proceedings
23. Indyk, P. Nearest neighbors in high- of the 47th Annual IEEE Symposium
uses it differently and takes advantage of stronger measure dimensional spaces. In Handbook on Foundations of Computer Science
concentration bounds and tools from error correcting codes of Discrete and Computational (FOCS) (Berkeley, CA, 2006).
Geometry. CRC, 2004. 37. Schulman, L. Clustering for edge-cost
over fields of characteristic 2. The same authors together 24. Indyk P., Motwani, R. Approximate minimization. In Proceedings of the
with Singer consider the following inverse problem4: Design nearest neighbors: Towards removing 32nd Annual Symposium on Theory of
the curse of dimensionality. In Computing (STOC) (2000), 547–555.
randomized linear time computable transformations that Proceedings of the 30th Annual ACM 38. Woolfe, F., Liberty, E., Rokhlin,
require the mildest assumptions possible on data to ensure Symposium on Theory of Computing V., Tygert, M. A fast randomized
(STOC) (1998), 604–613. algorithm for the approximation of
successful dimensionality reduction. 25. Johnson, W.B., Lindenstrauss, J. matrices. Appl. Comput. Harmon.
Extensions of Lipschitz mappings into Anal. 25 (2008), 335–366.
a Hilbert space. Contemp. Math. 26 39. Yianilos, P.N. Data structures and
(1984), 189–206. algorithms for nearest neighbor
References
26. Kleinberg, J.M. Two algorithms for search in general metric spaces.
1. Achlioptas, D. Database-friendly Annual ACM-SIAM Symposium on nearest-neighbor search in high In Proceedings of the 4th Annual
random projections: Johnson– Discrete Algorithms (SODA) (Austin, dimensions. In Proceedings of the ACM-SIAM Symposium on Discrete
Lindenstrauss with binary coins. TX, United States, 1993), 271–280. 29th Annual ACM Symposium on Algorithms (SODA) (1993), 311–321.
J. Comput. Syst. Sci. 66, 4 (2003), 9. Arya, S., Mount, D.M., Netanyahu, N.S., Theory of Computing (STOC) (1997), 40. Yianilos, P.N. Locally lifting the
671–687. Silverman, R., Wu, A.Y. An optimal 599–608. curse of dimensionality for nearest
2. Ailon, N., Chazelle, B. Approximate algorithm for approximate nearest 27. Kushilevitz, E., Ostrovsky, R., Rabani, neighbor search (extended abstract).
nearest neighbors and the fast neighbor searching fixed dimensions. Y. Efficient search for approximate In Proceedings of the 11th Annual
Johnson-Lindenstrauss transform. J. ACM 45, 6 (1998), 891–923. nearest neighbor in high dimensional ACM-SIAM Symposium on Discrete
SIAM J. Comput. 39, 1 (2009), 10. Bern, M.W. Approximate closest- spaces. SIAM J. Comput. 30, 2 Algorithms (SODA) (2000),
302–322. point queries in high dimensions. Inf. (2000), 457–474. 361–370.
3. Ailon, N., Liberty, E. Fast dimension Process. Lett. 45, 2 (1993), 95–99.
reduction using rademacher series 11. Bingham, E., Mannila, H. Random
on dual bch codes. Discrete and projection in dimensionality reduction: Nir Ailon (nailon@gmail.com), Google Bernard Chazelle (chazelle@cs.
Computational Geometry (2008). Applications to image and text data. Research. princeton.edu), Department of Computer
4. Ailon, N., Liberty, E., Singer, A. In Knowledge Discovery and Data Science, Princeton University.
Dense fast random projections and Mining, 2001, 245–250.
lean walsh transforms. APPROX- 12. Borodin, A., Ostrovsky, R., Rabani, Y.
RANDOM, 2008, 512–522. Lower bounds for high dimensional
5. Alon, N. Problems and results in nearest neighbor search and related
extremal combinatorics–I. Discrete problems. In Proceedings of the
Math. 273, 1–3 (2003), 31–53. 31st Annual Symposium on the
6. Alon, N., Spencer, J. The Probabilistic Theory of Computing (STOC) (1999),
Method. John Wiley, 2nd edition, 2000. 312–321.
7. Arora, S. Polynomial time 13. Chan, T.M. Approximate nearest
approximation schemes for euclidean neighbor queries revisited. Discrete
traveling salesman and other Comput. Geometry 20, 3 (1998),
geometric problems. J. ACM 45, 5 359–373.
(1998), 753–782. 14. Christofides, N. Worst-case analysis
8. Arya, S., Mount, D.M. Approximate of a new heuristic for the travelling
nearest neighbor queries in fixed salesman problem. Technical Report,
dimensions. In Proceedings of the 4th Graduate School of Industrial © 2010 ACM 0001-0782/10/0200 $10.00
Technical Perspective
Want to be a Bug Buster?
By Shekhar Y. Borkar
MICROPROCESSOR PERFORMANCE HAS in- failures by returning the hardware detection in the hardware, such as par-
creased exponentially, made possible to an error-free state, activating the ity errors as well as soft-triggers that
by increasing transistor performance failure-causing stimuli, and then re- suspect an early symptom of a failure.
and doubling the number of transis- produce the same failures—the most These triggers stop further recording
tors every two years to realize complex difficult task, considering complexi- in the circular buffer, capturing the
architectures. These chips with ever ties such as asynchronous signals and instruction trace of the suspected part
increasing complexity are not always multiple clock domains. of the instruction sequence for future
fully functional on the first attempt, If you are a detective and want to analysis.
they need to be debugged quickly, catch bad guys, then one of the first The traditional method of isolating
bugs fixed, and reworked. We take this steps is to acquire the surveillance vid- a bug is by comparing the captured
for granted, but did you ever wonder eo from the scene to get the clues. If the instruction trace with a golden trace
about how it is done? surveillance camera is rolling around captured by a trusted simulator. Sim-
Painfully, is the short answer! the clock, you will likely be required to ulators are notoriously slow and the
There are two types of bugs: func- watch the entire tape before coming process is very time-consuming. The
tional or logic bugs caused by design upon the culprit; very tedious indeed. authors of this paper propose a novel
errors, and electrical bugs due to cir- Wouldn’t it be nice if the camera concept of self-consistency to localize
cuit marginalities, caused by unfavor- rolled only when sensing an action the bug by examining the instruction
able operating conditions such as tem- taking place? Yes, but it would still re- trace. For example, if an instruction
perature changes, and voltage drops. quire watching every activity recorded uses a faulty operand then you do not
Although most of the functional bugs by the camera and would still be a need to know the exact value of the op-
are caught during rigorous design val- time-consuming and wasteful task. erand. It is sufficient to know that the
idation and verification, it is virtually Better yet, what if the camera record- instruction used a different value than
impossible to ensure that a design is ed only suspicious activity, captur- the one that was produced for its use.
bug-free before tape-out. ing all the necessary circumstantial The authors describe in detail how to
Circuit designers make great ef- evidence, and not necessarily the cul- diagnose and root cause the bug us-
forts to improve margins to avoid elec- prits? That would be an optimal solu- ing the captured instruction trace and
trical bugs, but they too are difficult tion and would make the detective’s self-consistency.
to avoid, and especially difficult to re- job a lot easier. This scenario is exactly Clearly, this is a very novel approach
produce since they are manifested by what IFRA does. to post-silicon debug, and I would
various operating conditions. It is ex- IFRA implements circular buffers, not be surprised to see it catch on
tremely important to find these bugs capable of recording traces of instruc- quickly; but it’s just a start. This paper
quickly post-fabrication, and current tions executed by the processor, and describes how to debug a micropro-
techniques are far too expensive and this process is controlled by failure cessor, and this technique has great
time-consuming. The novel technique detectors. These detectors use failure potential to go further and help debug
described in the following paper by of multicores, memory systems, ana-
Sung-Boem Park and Subhasish Mitra log circuits, and even complex SOCs.
entitled “Post-Silicon Bug Localiza- IFRA implements Finally, as a critique, you may claim
tion for Processors Using IFRA” pro- that IFRA adds hardware to the chip
vides the breakthrough. circular buffers, that is useful only for debugging. Not
When an error is detected it could capable of recording really. Transistors are inexpensive,
be caused by one or more such bugs, so inexpensive that it is almost like
and you need to identify what caused traces of instructions incorporating a small logic analyzer
the error; root causing the error is not executed by the or a tester on the chip itself to aid in
that straightforward. The error may be debugging, and then turned off; you
caused by encountering a bug during processor, and this don’t even notice it is there.
an instruction execution, or it may be process is controlled Is there better use for a transistor
thousands, or even billions, of instruc- than to help bring products to you
tion executions before. You must be a by failure detectors. quickly and inexpensively?
very good detective to diagnose and
isolate the bug. Shekhar Y. Borkar is an Intel Fellow and Director of
Post-silicon bug localization and Microprocessor Research, Intel Corp., Hillsboro, OR.
isolation is time-consuming and cost-
ly because you have to reproduce the © 2010 ACM 0001-0782/10/0200 $10.00
Figure 2. Superscalar processor augmented with recording Table 2. Auxiliary information for each pipeline stage. The 2-bit and
infrastructure. 3-bit residues are obtained by performing mod-3 and mod-7 operations
on the original values, respectively.
I-Cache I-TLB Branch predictor
ID-assignment Fetch Auxiliary Information
Fetch queue
unit
Pipeline Bits per Number of Entries per
R R R R Stage Description Entry Recorders Recorder
2. An ID (identification) assignment unit responsible for typical of current desktop/server processors. The area cost is
assigning and appending an ID to each instruction dominated by the circular buffers present in the recorders.
that enters the processor. Interconnect area cost is relatively low because the wires con-
3. A post-trigger generator, which is a mechanism for necting the recorders (Figure 2) operate at slow speed, and
deciding when to stop recording. a large portion of this routing reuses existing on-chip scan
chains that are present for manufacturing testing purposes.
While an instruction, with an ID appended, flows through
a pipeline stage, it generates an instruction footprint cor- 2.1. ID-assignment unit
responding to that pipeline stage which is stored in the For the recorded data to be useful for offline analysis, it is
recorder associated with that pipeline stage. An instruction necessary to identify which of the trillions of instructions
footprint corresponding to a pipeline stage consists of that passed through the processor, produced each of the
recorded footprints. Hence, each footprint in a recorder
1. The instruction’s ID that was appended must have an identifier or ID.
2. Auxiliary information (Table 2) that tells us what the Simplistic ID assignment schemes have limited applica-
instruction did in the microarchitectural blocks con- bility. For example, assigning consecutive numbers to each
tained in that pipeline stage incoming instruction, in a circular fashion, using very wide
IDs is wasteful: using 40-bit IDs will increase the instruc-
Synthesis results (using Synopsys Design Compiler with tion footprint total storage to 160KB from 60KB. When IDs
TSMC 0.13 microns library) show that the area impact are too short, e.g., 8-bit IDs if there can be only 256 instruc-
of the IFRA hardware infrastructure is 1% on the Illinois tions in a processor at any one time, aliasing can occur for
Verilog Model24 assuming a 2MB on-chip cache, which is processors supporting out-of-order execution and pipeline
Figure 3. Post-analysis summary: Park et al18 describes the exact Figure 4. Instruction footprint linking, with a maximum number of 2
questions asked at each decision node. instructions in flight (i.e., n = 2).
…
…
ID: 7 PC5 ID: 0 AUX0
…
HLA1 HLA2 HLA3 HLA4 PC0 INST0 ID: 0 PC0 ID: 7 AUX1 ID: 0 AUX20
PC1 INST1 ID: 5 PC3 ID: 6 AUX2 ID: 7 AUX21
? PC2 INST2 ID: 6 PC4 ID: 5 AUX3 ID: 5 AUX22
HLA: High-level analysis
Time
PC3 INST3 ID: 7 PC5 ID: 0 AUX4 ID: 6 AUX23
PC4 INST4 ID: 0 PC6 ID: 7 AUX5 ID: 7 AUX24
Low-level analysis
? PC5 INST5 ID: 4 PC0 ID: 5 AUX6 ID: 5 AUX25
? ? PC6 INST6 ID: 5 PC1 ID: 4 AUX7 ID: 4 AUX26
ID: 6 PC2 ID: 6 AUX8 ID: 6 AUX27
…
? ? ? ID: 7 PC3 ID: 0 AUX9 ID: 7 AUX28 Younger
? ? ? ? ID: 0 PC4 ID: 7 AUX10 ID: 0 AUX29
? ? ? ?
? ? ? ? ? ?
Bug locations + exposing stimulus In Figure 4, using the first property, footprints correspond-
ing to flushed instructions are identified and discarded.
After discarding, using the second property, the youngest ID
0s across all recorders are linked together, followed by link-
low-level analysis (Section 3.3), represented as a decision ing of the second youngest ID 0s, and so on. Since the PC is
diagram, asks a series of microarchitecture-specific ques- stored in the fetch-stage recorder, we can link the instruction
tions until the final bug location–time pair(s) is obtained. ID back to the test program binary to find the corresponding
The bug exposing stimuli are derived from the location– instruction.
time pairs. Currently, the decision diagram is created man-
ually based on the microarchitecture. Automatic generation 3.2. High-level analysis
of such decision diagrams is a topic of future research. IFRA uses four high-level analysis techniques (1) data depen-
The post-analysis techniques rely on the concept of dency analysis, (2) program control-flow analysis, (3) load-
self-consistency which checks for the existence of contra- store analysis, and (4) decoding analysis.
dictory events in collected footprints with respect to the test- Each analysis technique is applied separately. We are
program binary. While such checks are extensively used in interested in the inconsistency that is closest to the elec-
fault-tolerant computing for error detection12, 16, 23 the key trical bug manifestation in terms of time (i.e., the eldest
difference here is that we use them for bug localization. inconsistency). Thus, if multiple of them identify inconsis-
Such application is possible because, unlike fault-tolerant tencies, then the reported inconsistencies are compared to
computing, the checks are performed off-line enabling see which one occurred the earliest. The high-level analysis
more complex analysis for localization purposes. technique with the earliest occurring inconsistency then
decides the entry point into the decision diagram for low-
3.1. Footprint linking level analysis. Here we briefly explain the control-flow anal-
Figure 4 shows a part of a test program and the contents of ysis, one of the high-level analysis techniques, to illustrate
three (out of many) recorders right after they are scanned the idea.
out. As explained in Section 2, since we use short instruction In the program control-flow analysis, four types of ille-
IDs (8-bits for Alpha 21264-like processor), we end up having gal transitions are searched in the PC sequence of the serial
multiple footprints having the same ID in the same recorder execution trace (obtained from fetch-stage recorder and test-
and/or multiple recorders. For example, in Figure 4, ID 0 program binary during footprint linking), starting from the
appears in three entries of the fetch-stage recorder, in two eldest PC.
entries of the issue-stage recorder, and in three entries of
the execution-stage recorder. 1. The PC does not increment by +4 except in the presence
Which of these ID 0s correspond to the same instruction? of a control flow transition instruction (e.g., branch,
This question is answered by the following special proper- jump).
ties enforced by the ID assignment scheme presented in 2. A PC jump does not occur in the presence of uncondi-
Section 2.1: tional transition instruction.
3. The PC does not jump to the correct target in presence
Property 1. All flushed instructions are identified by utilizing of direct transition (with target address that does not
Rule 3 in our special ID assignment scheme (Section 2.1). depend on a register value).
Property 2. If instruction A was fetched before instruction 4. The PC does not jump to an address that is part of the
B, and they both have the same ID, then A will always executable address space (determined from the pro-
exit any pipeline stage (and leave its footprint in the gram binary) in the presence of register-indirect tran-
corresponding recorder) before B does for that same sition (with target address that depends on a register
pipeline stage. value).
…
the register used for the register-indirect transition. recorder (A)
Instructions B and C have producer–consumer relation- R0 fl R1 + R2
ship: B writes its result in to register R0, and C uses a
…
R0 ‡ P2
value from register R0. (B) R0 fl R3 + R6 Producer of R0
The first question in the decision diagram is whether R0 fl P5
…
C consumed the value B produced. The execute-stage
recorder contains the residues of results and the issue- (C) R0 fl R0 + R6 Consumer of R0
stage recorder contains the residues of operands of
…
instructions. Comparing the two values during post-anal-
Serial execution trace
ysis shows that they do not match; i.e., B produced a value
with residue of 5, while C received a value with residue of
3. This is clearly a problem.
The second question in the decision diagram is
whether C and B used the same physical register to pass Figure 7. Third question asked in the low-level analysis example:
Did C and A use the same physical register to pass along the value?
along the value. Analysis of the contents of the dispatch- Answer: Yes
stage recorder, which records the physical register name,
reveals that B wrote its results into physical register P2, Dispatch-stage
…
while C read its operand value from physical register P5, recorder (A) Previous producer of R0
R0 fl R1 + R2
and they are not the same as shown in Figure 6.
…
Stimulates Propagates
Decoder (A)
recorder (A) R0 fl R1 + R2
R0 fl R1 + R2
R0 = 5 Arch. Dest. Reg Pipeline register
…
Producer of R0
…
Issue-stage R1 P3
…
R0 = 3
…
units), there are 200 different microarchitectural blocks cases where none of the returned pairs were correct, even
(excluding array structures and arithmetic units since if either location or time is correct. In addition, we pes-
errors inside those structures are immediately detected simistically report all errors that resulted in Case 3 as
and localized using parity and/or residue codes, as dis- “completely missed.” All error injections were performed
cussed in Section 2.2). Each block has an average size after a million cycles from the beginning of the program
equivalent of 10K 2-input NAND gates. Seven bench- in order to demonstrate that there is no need to keep
marks from SPECint2000 (bzip2, gcc, gap, gzip, mcf, track of footprints from the beginning.
parser, vortex) were chosen as validation test programs It is clear from Figure 9 that a large percentage of bugs
as they represent a variety of workloads. Each recorder were uniquely located to correct location–time pair, while
was sized to have 1024 entries. very few bugs were completely missed, demonstrating the
All bugs were modeled as single bit-flips at flip-flops to effectiveness of IFRA.
target hard-to-repeat electrical bugs. This is an effective
model because electrical bugs eventually manifest them- 5. CONCLUSION
selves as incorrect values arriving at flip-fops for certain IFRA targets the problem of post-silicon bug localization in
input combinations and operating conditions.15 a system setup, which is a major challenge in processor post-
Errors were injected in one of 1191 flip-flops [Park and silicon design validation. There are two major novelties of
Mitra17]. No errors were injected inside array structures IFRA:
since they have built-in parities for error detection.
Upon error injection, the following scenarios are 1. High-level abstraction for bug localization using
possible: low-cost hardware recorders that record semantic
information about instruction data and control flows
1. The error vanishes without any effect at the system concurrently in a system setup.
level or produces an incorrect program output with- 2. Special techniques, based on self-consistency, to ana-
out any post-trigger firing. This case is related to the lyze the recorded data for localization after failure
coverage of validation test programs and post-triggers, detection.
and is not the focus of this paper.
2. Failure manifestation with short error latency, where IFRA overcomes major post-silicon bug localization
recorders successfully capture the history from error challenges.
injection to failure manifestation (including situations
where recording is stopped/paused upon activation of 1. It helps bridge a major gap between system-level and
soft post-triggers). circuit-level debug.
3. Failure manifestation with long error latency, where 2. Failure reproduction is not required.
1024-entry recorders fail to capture the history from 3. Self-consistency checks associated with the analysis
error injection to failure (including soft triggers). techniques minimize the need for full system-level
simulation.
Out of 100,000 error injection runs, 800 of them
resulted in Cases 2 and 3. Figure 9 presents results from IFRA creates several interesting research directions:
these two cases. The “exactly located” category represents
the cases in which IFRA returned a single and correct 1. Automated construction of the post-analysis decision
location–time pair (as defined in Section 1). The “can- diagram for a given microarchitecture.
didate located” category represents the cases in which 2. Sensitivity analysis and characterization of the inter-
IFRA returned multiple location–time pairs (called can- relationships between post-analysis techniques, archi-
didates) out of over 200,000 possible pairs (1 out of 200 tectural features, error detection mechanisms, recorder
microarchitectural blocks and 1 out of 1,000 cycles), and sizes, and bug types.
at least 1 pair was fully correct in both location and in 3. Application to homogeneous/heterogeneous multi-
time. The “completely missed” category represents the and many-core systems, and system-on-chips (SoCs)
consisting of nonprocessor designs.
Figure 9. IFRA bug localization summary.
Acknowledgment
The authors thank A. Bracy, B. Gottlieb, N. Hakim,
Correct D. Josephson, P. Patra, J. Stinson, H. Wang of Intel
Exact
localization
(96%)
localization Corporation, O. Mutlu and S. Blanton of Carnegie
(78%) Mellon University, T. Hong of Stanford University, and
E. Rentschler of AMD for helpful discussions and advice.
This research is supported in part by the Semiconductor
Complete
miss (4%) Avg. 6 candidates Research Corporation and the National Science
out of 200,000 Foundation. Sung-Boem Park is also partially supported by
(22%) Samsung Scholarship, formerly the Samsung Lee Kun Hee
Scholarship Foundation.
Take Advantage of
ACM’s Lifetime Membership Plan!
ACM Professional Members can enjoy the convenience of making a single payment for their
entire tenure as an ACM Member, and also be protected from future price increases by
taking advantage of ACM's Lifetime Membership option.
ACM Lifetime Membership dues may be tax deductible under certain circumstances, so
becoming a Lifetime Member can have additional advantages if you act before the end of
2009. (Please consult with your tax advisor.)
Lifetime Members receive a certificate of recognition suitable for framing, and enjoy all of
the benefits of ACM Professional Membership.
"TTJTUBOU1SPGFTTPSTIJQT 5FOVSF5SBDL
JO$PNQVUFS4DJFODF
5IF %FQBSUNFOU PG $PNQVUFS 4DJFODF XXXJOGFUI[DI
BU &5) ;VSJDI JOWJUFT BQQMJDBUJPOT GPS BTTJTUBOU QSPGFTTPSTIJQT
5FOVSF5SBDL
JOUIFBSFBTPG
° 4PGUXBSF&OHJOFFSJOH
° $PNQVUFS(SBQIJDT
° $PNQVUBUJPOBM*OUFMMJHFODF
° )VNBO$PNQVUFS*OUFSBDUJPO
"QQMJDBOUTTIPVMEIBWFJOUFSOBUJPOBMMZSFDPHOJ[FEFYQFSUJTFJOUIFJSGJFMEBOEQVSTVFSFTFBSDIBUUIFGPSFGSPOUPG$PNQV
UFS4DJFODF5IFTVDDFTTGVMDBOEJEBUFTIPVMEFTUBCMJTIBOEMFBEBTUSPOHSFTFBSDIQSPHSBN)FPSTIFXJMMCFFYQFDUFEUP
TVQFSWJTF1I%TUVEFOUTBOEUFBDICPUIVOEFSHSBEVBUFMFWFMDPVSTFT JO(FSNBOPS&OHMJTI
BOEHSBEVBUFMFWFMDPVSTFT
JO&OHMJTI
5IF %FQBSUNFOU PGGFST B TUJNVMBUJOH BOE XFMMTVQQPSUFE SFTFBSDI BOE UFBDIJOH FOWJSPONFOU $PMMBCPSBUJPO JO SFTFBSDI
BOEUFBDIJOHJTFYQFDUFECPUIXJUIJOUIF%FQBSUNFOUBOEXJUIPUIFSHSPVQTPGUIF&5)EPNBJOBOESFMBUFEJOTUJUVUJPOT
"TTJTUBOUQSPGFTTPSTIJQTIBWFCFFOFTUBCMJTIFEUPQSPNPUFUIFDBSFFSTPGZPVOHFSTDJFOUJTUT5IFJOJUJBMBQQPJOUNFOUJTGPS
GPVSZFBSTXJUIUIFQPTTJCJMJUZPGSFOFXBMGPSBOBEEJUJPOBMUXPZFBSQFSJPEBOEQSPNPUJPOUPBQFSNBOFOUQPTJUJPO
1MFBTF TVCNJU ZPVS DVSSJDVMVN WJUBF
B MJTU PG QVCMJDBUJPOT
OBNFT PG BU MFBTU UISFF TFOJPS SFGFSFFT
BOE TUBUFNFOUT PO
GVUVSFSFTFBSDIBOEUFBDIJOHBDUJWJUJFTUPUIF1SFTJEFOUPG&5);VSJDI
1SPG%S3BMQI&JDIMFS
&5);VSJDI
3BFNJTUSBTTF
;VSJDI
4XJU[FSMBOE
PSWJBFNBJMUPGBDVMUZSFDSVJUJOH!TMFUI[DI
OPMBUFSUIBO.BSDI
8JUIBWJFXUPXBSE
JODSFBTJOHUIFOVNCFSPGGFNBMFQSPGFTTPST
&5);VSJDITQFDJGJDBMMZFODPVSBHFTRVBMJGJFEGFNBMFDBOEJEBUFTUPBQQMZ
Temple University
Tenure-Track, Open Rank
These materials are available at no cost, but only for non-commercial use by universities. The Department of Computer Science at Texas Chris-
tian University seeks candidates at the Assistant or
Associate Professor level for a tenure-track position
in Computer Science to start on or after August 1,
For more information, visit www.microsoft.com/WindowsAcademic 2010. Applicants are expected to have an earned
or e-mail compsci@microsoft.com. doctorate in Computer Science or related field, must
have excellent verbal and written communication
skills, and a strong commitment to teaching and
'HDQ
RI&RPSXWHUDQG&RPPXQLFDWLRQ6FLHQFHV
DW(FROHSRO\WHFKQLTXHIpGpUDOHGH/DXVDQQH(3)/
(3)/LVFRQGXFWLQJDQLQWHUQDWLRQDOVHDUFKIRUWKH'HDQRIWKH6FKRRORI SURIHVVRUOHYHO&DQGLGDWHVVKRXOGKDYHDQRXWVWDQGLQJDFDGHPLFUHFRUGD
&RPSXWHUDQG&RPPXQLFDWLRQ6FLHQFHVWRWDNHRIILFHE\WKHIDOORI VWURQJYLVLRQIRUWKHGHYHORSPHQWRIWKHIDFXOW\LQUHVHDUFKWHDFKLQJDQG
WHFKQRORJ\ WUDQVIHU SURILFLHQF\ LQ UHFUXLWLQJ DQG H[FHSWLRQDO OHDGHUVKLS
(3)/ORFDWHGLQ/DXVDQQH6ZLW]HUODQGLVDOHDGLQJ(XURSHDQ8QLYHUVLW\ FRPPXQLFDWLRQDQGPDQDJHPHQWVNLOOV(3)/ZLOOSURYLGHWKHPHDQVWRUH
DQGDG\QDPLFDOO\JURZLQJDQGZHOOIXQGHGLQVWLWXWLRQIRVWHULQJH[FHOOHQFH DOL]HDVWUDWHJLFGHYHORSPHQWRIWKHVFKRRORYHUWKHFRPLQJ\HDUVZLWKWKH
DQGGLYHUVLW\,WKDVDKLJKO\LQWHUQDWLRQDOFDPSXVDWDQH[FHSWLRQDOO\DWWUDF REMHFWLYHWRHVWDEOLVKZRUOGFODVVOHDGHUVKLSLQHGXFDWLRQDQGUHVHDUFK
WLYHORFDWLRQDQGDILUVWFODVVLQIUDVWUXFWXUH$VWHFKQLFDOXQLYHUVLW\LWFRYHUV
FRPSXWHU FRPPXQLFDWLRQVFLHQFHVHQJLQHHULQJHQYLURQPHQWDOEDVLFDQG 7KH6FKRRORI&RPSXWHUDQG&RPPXQLFDWLRQ6FLHQFHV'HDQ6HDUFK&RP
OLIHVFLHQFHVPDQDJHPHQWRIWHFKQRORJ\DQGILQDQFLDOHQJLQHHULQJ,WRIIHUV PLWWHHLQYLWHVOHWWHUVRIQRPLQDWLRQDSSOLFDWLRQVYLVLRQVWDWHPHQWFRP
DIHUWLOHHQYLURQPHQWIRUUHVHDUFKFRRSHUDWLRQEHWZHHQGLIIHUHQWGLVFLSOLQHV SOHWH&9DQGWKHQDPHRIXSWRSURIHVVLRQDOUHIHUHQFHVRUH[SUHVVLRQV
RILQWHUHVW7KHVFUHHQLQJRIDSSOLFDWLRQVZLOOVWDUWRQ0DUFKVW
7KH 6FKRRO RI &RPSXWHU DQG &RPPXQLFDWLRQ 6FLHQFHV ZLWK IDFXOW\ 0DWHULDOV DQG LQTXLULHV VKRXOG EH DGGUHVVHG SUHIHUDEO\ HOHFWURQLFDOO\
PHPEHUVKDVH[SHULHQFHGDVWURQJGHYHORSPHQWRYHUWKHUHFHQW\HDUVWRRQH 3')IRUPDWWR
RIWKHWRSGHSDUWPHQWVLQLWVDUHDLQ(XURSH7KH6FKRROHQUROOVDERXW
VWXGHQWVLQLWVEDFKHORUDQGPDVWHUSURJUDPVLQFRPSXWHUVFLHQFHDQGFRP 3URI.DUO$EHUHU
PXQLFDWLRQV\VWHPVKDVDKLJKO\FRPSHWLWLYHGRFWRUDOSURJUDPZLWK3K' &KDLUPDQRIWKH6HDUFK&RPPLWWHH
FDQGLGDWHVUHFUXLWHGZRUOGZLGHDQGKRVWVLPSRUWDQWLQGXVWULDODQGUHVHDUFK HPDLONDUODEHUHU#HSIOFK
FHQWHUVVXFKDVWKH6ZLVV1DWLRQDO&HQWHURI([FHOOHQFHLQ5HVHDUFKLQ0R
ELOH,QIRUPDWLRQDQG&RPPXQLFDWLRQ6\VWHPVDQGLQGXVWU\ODEOHWVE\1RNLD 0RUHLQIRUPDWLRQRQ(3)/DQGWKH6FKRRORI&RPSXWHUDQG&RPPXQLFD
6ZLVV&RPDQG/RJLWHFK WLRQ 6FLHQFHV FDQ EH IRXQG DW KWWSZZZHSIOFK DQG KWWSLFHSIOFK
UHVSHFWLYHO\
7KH'HDQEHDUVWKHRYHUDOOUHVSRQVLELOLW\IRUWKHVFKRROLQPDWWHUVRIHGX
FDWLRQ UHVHDUFK ILQDQFH DQG RUJDQL]DWLRQ DQG UHSRUWV WR WKH 3UHVLGHQW RI (3)/ LV FRPPLWWHG WR EDODQFH JHQGHUV ZLWKLQ LWV IDFXOW\ DQG VWURQJO\
(3)/ 7KH SRVLWLRQ RIIHUV FRPSHWLWLYH FRPSHQVDWLRQ DQG WHQXUH DW IXOO HQFRXUDJHVZRPHQWRDSSO\
technology town of Brazil, in the State of São Paulo, portive of junior faculty, providing both formal and als is recommended. Application materials may
which accounts for 40% of Brazil’s GNP. informal mentoring. We have a strong record of NSF be submitted in pdf format to facrec@cs.umass.
CAREER awards and other early research funding. edu. Hard copies of the application materials may
We lead the NSF-funded Commonwealth Alliance be sent to: Search {fill in number from above},
University of Massachusetts Amherst for Information Technology Education (CAITE) to c/o Chair of Faculty Recruiting, Department of
Department of Computer Science design and carry out comprehensive programs that Computer Science, University of Massachusetts,
Faculty Positions in Computer Science address underrepresentation in information tech- Amherst, MA 01003.
nology (IT) education and the workforce. We will begin to review applications on Janu-
The University of Massachusetts Amherst invites ap- The Department of Computer Science has 40 ary 4, 2010 and will continue until available posi-
plications for two tenure-track faculty positions at tenure and research track faculty and 180 Ph.D. stu- tions are filled. Salary and rank commensurate
the assistant professor level. Applicants must have a dents with broad interdisciplinary research interests. with education and experience; comprehensive
Ph.D. in Computer Science or related area and should The department offers first-class research facilities. benefits package. Positions to be filled dependent
show evidence of exceptional research promise. Please see http://www.cs.umass.edu for more infor- upon funding. Inquiries and requests for more in-
For the first position, we seek Computer Sci- mation. The University provides an intellectual en- formation can be sent to: facrec@cs.umass.edu
ence candidates able to collaborate with the de- vironment committed to providing academic excel- The University of Massachusetts is an Affirma-
partments of Linguistics and Psychology. The lence and diversity including mentoring programs tive Action/Equal Opportunity employer. Women
applicant should have a strong background in for faculty. The College and the Department are com- and members of minority groups are encouraged
Natural Language Processing, preferably in the mitted to increasing the diversity of the faculty, stu- to apply.
area of Syntax and Semantics. The applicant dent body and the curriculum. To apply, please send
should also show a strong record of publication a cover letter referencing search R36783 or R36785
in Natural Language Processing and other areas with your vita, a research statement, a teaching state- University of Toronto
that relate to Linguistics and Psychology, such as ment and at least three letters of recommendation. Assistant Professor - Computer Science
Machine Learning, Data Mining, and Information We also invite applications for Research Fac-
Retrieval. A history of interdepartmental collabo- ulty (R36769) and Research Scientist, Postdoc- The Department of Computer and Mathemati-
ration is desirable but not required. (R36783) toral Research Associate, and Research Fellow cal Sciences, University of Toronto Scarborough
For the second position, we seek Computer (R36768) positions in all areas of Computer Sci- (UTSC), and the Graduate Department of Com-
Science candidates that can collaborate with the ence. Applicants should have a Ph.D. in Computer puter Science, University of Toronto, invite appli-
departments of Sociology, Political Science, and Science or related area (or an M.S. plus equivalent cations for a tenure-stream appointment at the
Mathematics & Statistics. We seek a candidate in experience), and should show evidence of ex- rank of Assistant Professor, to begin July 1, 2010.
the area of Computational Social Science, or re- ceptional research promise. These positions are We are interested in candidates with research
lated areas of applied and theoretical computer grant-funded; appointments will be contingent expertise in Computer Systems, including Operat-
science that could be relevant to the social scienc- upon continued funding. To apply, please send ing Systems, Networks, Distributed Systems, Da-
es, such as social network analysis. (R36785) a cover letter with your vita, a research statement tabase Systems, Computer Architecture, Program-
The department is committed to the development and at least three letters of recommendation. ming Languages, and Software Engineering.
of a diverse faculty and student body, and is very sup- Electronic submission of application materi- Candidates should have, or be about to re-
ceive, a Ph.D. in computer science or a related invites applications for a non-tenure-stream, two-
field. They must demonstrate an ability to pur- year appointment as the Mendelzon Visiting As-
sue innovative research at the highest level, and sistant Professor, to begin July 1, 2010.
a commitment to undergraduate and graduate We will consider applicants in all areas of
teaching. Evidence of excellence in teaching and computer science, but are especially interested in
research is necessary. Salary will be commensu- applicants who will help advance our curriculum
ACM
rate with qualifications and experience. in computer systems and software engineering.
The University of Toronto is an international The University of Toronto is an international
leader in computer science research and educa- leader in computer science research and educa-
tion, and the Department of Computer and Math-
ematical Sciences enjoys strong ties to other units
tion, and the Department of Computer and Math-
ematical Sciences enjoys strong ties to other units Transactions on
within the University. The successful candidate for within the University.
this position will be expected to participate actively
in the Graduate Department of Computer Science
The successful candidate for this position
will be encouraged to engage in collaborative re-
Reconfigurable
Technology and
at the University of Toronto, as well as to contribute search with other computer science faculty at the
to the enrichment of computer science academic university, as well as to contribute to the enrich-
programs at the University’s Scarborough campus. ment of computer science academic programs at
Application materials, including curriculum
vitae, research statement, teaching statement, and
the University’s Scarborough campus.
Candidates should have, or be about to re- Systems
three to five letters of recommendation, should be ceive, a Ph.D. in computer science or a related
submitted online at www.mathjobs.org, preferably field. They must demonstrate an ability to pursue
well before our deadline of January 17, 2010. innovative research, and a commitment to under-
PLEASE NOTE THAT WE ARE ONLY ACCEPT- graduate teaching.
ING APPLICATIONS AT: www.mathjob.org Application materials, including curriculum
For more information about the Department of vitae, research statement, teaching statement, and
Computer & Mathematical Sciences @ UTSC, please three to five letters of recommendation, should be
visit our home page www.utsc.utoronto.ca/~csms. submitted online at www.mathjobs.org, preferably
well before our deadline of January 17, 2010.
The University of Toronto is strongly commit-
University of Toronto ted to diversity within its community and espe-
Lecturer - Computer Science cially welcomes applications from visible minority
group members, women, Aboriginal persons, per-
The Department of Computer and Mathemati- sons with disabilities, members of sexual minor-
cal Sciences, University of Toronto Scarborough ity groups, and others who may contribute to the
(UTSC), invites applications for a full-time posi- further diversification of ideas. All qualified candi-
tion in Computer Science at the rank of Lecturer, dates are encouraged to apply; however, Canadians
to begin July 1, 2010. and permanent residents will be given priority.
We are especially interested in candidates The Mendelzon Visiting Assistant Professor-
who will help advance our curriculum in the areas ship is a position created in memory of Alberto
of computer systems, computer architecture, and Mendelzon, FRSC, distinguished computer sci-
software engineering. entist, and former chair of the Department of
Appointments at the rank of Lecturer may Computer and Mathematical Sciences, University
be renewed annually to a maximum of five years. of Toronto Scarborough.
In the fifth year of service, Lecturers shall be re- PLEASE NOTE THAT WE ARE ONLY ACCEPT-
This quarterly publication is a peer-
viewed and a recommendation made with respect ING APPLICATIONS AT: www.mathjobs.org
to promotion to the rank of Senior Lecturer. For more information about the Department of reviewed and archival journal that
Responsibilities include lecturing, conduct- Computer & Mathematical Sciences @ UTSC, please
covers reconfigurable technology,
ing tutorials, grading, and curriculum develop- visit our home page: www.utsc.utoronto.ca/~csms
ment in a variety of undergraduate courses. systems, and applications on recon-
Candidates should have a post-graduate degree,
figurable computers. Topics include
preferably a PhD, in Computer Science or a related
field, and must demonstrate potential for excel- all levels of reconfigurable system
lence in teaching at the undergraduate level.
ADVERTISING IN abstractions and all aspects of recon-
Salary will be commensurate with qualifica-
tions and experience.
CAREER OPPORTUNITIES figurable technology including plat-
Application materials, including curriculum How to Submit a Classified Line Ad: Send an e-mail forms, programming environments
vitae, a statement of career goals and teaching to acmmediasales@acm.org. Please include text,
philosophy, evidence of teaching excellence, and and indicate the issue/or issues where the ad will and application successes.
appear, and a contact name and number.
a minimum of three reference letters should be Estimates: An insertion order will then be e-mailed
submitted online at: www.mathjobs.org, prefer- back to you. The ad will by typeset according to
ably well before our deadline of March 1, 2010. CACM guidelines. NO PROOFS can be sent. Classified
line ads are NOT commissionable.
PLEASE NOTE THAT WE ARE ONLY ACCEPT-
ING APPLICATIONS AT: www.mathjobs.org
Rates: $325.00 for six lines of text, 40 characters
per line. $32.50 for each additional line after the
www.acm.org/trets
For more information about the Department of
Computer & Mathematical Sciences @ UTSC, please
first six. The MINIMUM is six lines.
Deadlines: Five weeks prior to the publication date www.acm.org/subscribe
of the issue (which is the first of every month).
visit our home at: www.utsc.utoronto.ca/~csms Latest deadlines: http://www.acm.org/publications
Career Opportunities Online: Classified and
recruitment display ads receive a free duplicate
listing on our website at: http://campus.acm.org/
University of Toronto careercenter
Ads are listed for a period of 30 days.
Mendelzon Visiting Assistant Professor For More Information Contact:
ACM Media Sales
The Department of Computer and Mathemati- at 212-626-0686 or
acmmediasales@acm.org
cal Sciences, University of Toronto Scarborough
Puzzled
Breaking Chocolate Bars
Welcome to three new puzzles. Solutions to the first two will be published
next month; the third is (as yet) unsolved. In each, the issue is how your intuition
matches up with the mathematics.
Readers are encouraged to submit prospective puzzles for future columns to puzzled@cacm.acm.org.
Peter Winkler (puzzled@cacm.acm.org) is Professor of Mathematics and of Computer Science and Albert
Bradley Third Century Professor in the Sciences at Dartmouth College, Hanover, NH.