COMMUNICATIONS

ACM
cACM.acm.org OF THE 07/2012 VOL.55 NO.7

Computational
Folkloristics

Behavioral
Programming
Controlling
Queue Delay
Predatory Scholarly
Publishing
Google’s Hybrid
Approach to Research
HTML5 Leading
a Web Revolution

Association for
Computing Machinery
 “ It was great “
having so many different talks that are applicable
to what my team deals with on a daily basis.

“ Getting first-hand accounts of lessons learned in the real world.

“
Lots of great theoretics and how they play out in a production system.
Rubber, meet road.

Baltimore, MD Sept. 27th - 28th

Surge brings together experts from around the world to share their stories
and demonstrate proven concepts in Web architectures and scalable design.
Hear from the most established practitioners in our field, as they describe
operational bottlenecks and how they overcome them with proven technologies,
open standards and rational thinking.

Special Rate for ACM Members! Save $100

http://goo.gl/9PufB
h t tp: // w w w. ac m.or g /dl
communications of the acm
Departments
5 Editor’s Letter
Predatory Scholarly Publishing
By Moshe Y. Vardi
7 Letters To The Editor
An Integral Number
and Its Consequences
10 BLOG@CACM
CS and Popular Culture;
Learning From Console Games
Mark Guzdial writes about why
computer science should
permeate popular culture.
Judy Robertson discusses
the educational benefits of using
console games in the classroom.
27 Calendar
124 Careers
Last Byte
128 Future Tense
They Just Click
When glasses track glances, will eyes
still meet across a crowded room?
By Ken MacLeod
Association for Computing Machinery
Advancing Computing as a Science & Profession
2 comm unicatio ns o f the ac m
News
21
13 Degrees of Separation
Researchers now have the capability
to look at the small-world
problem from both the traditional
algorithmic approach and
the new topological approach.
By Gregory Goth
16 HTML5 Leads a Web Revolution
Propelled by a proliferation of
mobile devices and social networks,
an enhanced family of Web
specifications is bringing new
power to developers and
new capabilities to users.
By Gary Anthes
18 Patently Inadequate
The biggest change to U.S.
patent law in nearly 60 years
brings many changes, but fails
to solve the software industry’s
most vexing problems.
By Marina Krakovsky
21 Lost and Found
Researchers discover computer
pioneer Konrad Zuse’s
long-forgotten Z9, the world’s
first program-controlled
binary relay calculator using
floating-point arithmetic.
By Paul Hyman
| j u ly 201 2 | vo l. 5 5 | no. 7
Viewpoints
22 Technology Strategy and Management
Business Models for
Strategy and Innovation
While often ambiguously
defined, business models
are central to innovation.
By Mari Sako
25 Legally Speaking
Can Online Piracy
Be Stopped by Laws?
Considering the legal responsibilities
of Internet intermediaries in
the aftermath of the Stop Online
Privacy Act controversy.
By Pamela Samuelson
28 Computing Ethics
An Information Strategy for
Environmental Sustainability
Seeking solutions to
a problem of change.
By R.T. Watson, J. Corbett,
M.C. Boudreau, and J. Webster
31 Historical Reflections
Alan Turing’s Other Universal Machine
Reflections on the Turing ACE
computer and its influence.
By Martin Campbell-Kelly
34 Viewpoint
Google’s Hybrid Approach to Research
By closely connecting research
and development Google is able
to conduct experiments on an
unprecedented scale, often resulting
in new capabilities for the company.
By Alfred Spector, Peter Norvig,
and Slav Petrov
38 Viewpoint
Photogra ph by A P- Photo/ Karsten T hielker
The Challenges of Privacy by Design
Heralded by regulators, Privacy by
Design holds the promise to solve
the digital world’s privacy problems.
But there are immense challenges,
including management commitment
and step-by-step methods to
integrate privacy into systems.
By Sarah Spiekermann
 07/2012 vol. 55 no. 07

Practice Contributed Articles Review Articles

54 60 90

42 Controlling Queue Delay 60 Computational Folkloristics 90 Behavioral Programming

A modern AQM is just one piece A searchable meta-graph can
of the solution to bufferbloat. connect even troublesome house
By Kathleen Nichols and Van Jacobson elves and other supernatural beings
to scholarly folk categories.
51 My Compiler Does Not By James Abello, Peter Broadwell,
Understand Me and Timothy R. Tangherlini
Until our programming languages
catch up, code will be full of horrors. 71 Large-Scale Complex IT Systems
By Poul-Henning Kamp The reductionism behind
today’s software-engineering
54 Getting What You Measure methods breaks down in
Four common pitfalls in the face of systems complexity.
using software metrics for By Ian Sommerville, Dave Cliff,
project management. Radu Calinescu, Justin Keen,
By Eric Bouwers, Joost Visser, Tim Kelly, Marta Kwiatkowska,
and Arie van Deursen John McDermid, and Richard Paige
Articles’ development led by 78 Why On-Chip Cache
queue.acm.org Coherence Is Here to Stay
On-chip hardware coherence
can scale gracefully as the number
Illustrations by Gary Neill, J.F. Podevin, Lea nd ro Cast el ao
A novel paradigm for programming
reactive systems centered on
naturally specified modular behavior.
By David Harel, Assaf Marron,
and Gera Weiss
Research Highlights
104 Technical Perspective
For Better or Worse,
Benchmarks Shape a Field
By David Patterson
105 Looking Back and Looking Forward:
Power, Performance, and Upheaval
By Hadi Esmaeilzadeh, Ting Cao,
Xi Yang, Stephen M. Blackburn,
and Kathryn S. McKinley

of cores increases. 115 Technical Perspective

By Milo M.K. Martin, Mark D. Hill, Why Study the Price of Anarchy?
and Daniel J. Sorin By Amos Fiat
COMMUNICATIONS About the Cover:
ACM
cAcM.AcM.org OF THE 07/2012 VoL.55 No.7

Computational Do Small IT Firms Benefit from 116 Intrinsic Robustness

Computational
Folkloristics folkloristics open vast Higher Process Capability? of the Price of Anarchy
collections of classic
tales, beloved characters, Evidence suggests small firms can By Tim Roughgarden
and inspiring fantasies
for wondrous exploration
reap rewards from developing a high
Behavioral
Programming
as never before. This level of formal process capability.
month’s cover story
Controlling
Queue Delay
Predatory Scholarly (p. 60) imagines a world
By Matthew Swinarski,
Diane H. Parente, and Rajiv Kishore
Publishing
Google’s Hybrid
Approach to Research
of literary fancy at our
HTML5 Leading
a Web Revolution
fingertips. Illustration by
Association for
Jean-Francois Podevin;
http://www.podevin.com/
Computing Machinery

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n ic at ion s o f the acm 3

 communications of the acm
Trusted insights for computing’s leading professionals.

Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.

ACM, the world’s largest educational STA F F edi torial Board

and scientific computing society, delivers  
resources that advance computing as a Director of G roup Publis h i ng E ditor -i n-c hief
science and profession. ACM provides the Scott E. Delman Moshe Y. Vardi ACM Copyright Notice
computing field’s premier Digital Library [email protected] [email protected] Copyright © 2012 by Association for
and serves its members and the computing Executive Editor Computing Machinery, Inc. (ACM).
profession with leading-edge publications, News Permission to make digital or hard copies
Diane Crawford Co-Chairs
conferences, and career resources. Managing Editor of part or all of this work for personal
Marc Najork and Prabhakar Raghavan or classroom use is granted without
Thomas E. Lambert Board Members
Executive Director and CEO Senior Editor fee provided that copies are not made
John White Hsiao-Wuen Hon; Mei Kobayashi; or distributed for profit or commercial
Andrew Rosenbloom William Pulleyblank; Rajeev Rastogi;
Deputy Executive Director and COO Senior Editor/News advantage and that copies bear this
Patricia Ryan Jeannette Wing notice and full citation on the first
Jack Rosenberger
Director, Office of Information Systems Web Editor page. Copyright for components of this
Wayne Graves Viewpoi nts work owned by others than ACM must
David Roman
Director, Office of Financial Services Co-Chairs be honored. Abstracting with credit is
Editorial Assistant
Russell Harris Susanne E. Hambrusch; John Leslie King; permitted. To copy otherwise, to republish,
Zarina Strakhan
Director, Office of SIG Services J Strother Moore to post on servers, or to redistribute to
Rights and Permissions
Donna Cappo Board Members lists, requires prior specific permission
Deborah Cotton
Director, Office of Publications P. Anandan; William Aspray; and/or fee. Request permission to publish
Bernard Rous Art Director Stefan Bechtold; Judith Bishop; from [email protected] or fax
Director, Office of Group Publishing Andrij Borys Stuart I. Feldman; Peter Freeman; (212) 869-0481.
Scott E. Delman Associate Art Director Seymour Goodman; Shane Greenstein;
Alicia Kubista Mark Guzdial; Richard Heeks; For other copying of articles that carry a
Assistant Art Directors Rachelle Hollander; code at the bottom of the first or last page
ACM Co u n c i l Richard Ladner; Susan Landau;
Mia Angelica Balaquiot or screen display, copying is permitted
President Carlos Jose Pereira de Lucena;
Brian Greenberg provided that the per-copy fee indicated
Vinton G. Cerf Beng Chin Ooi; Loren Terveen
Production Manager in the code is paid through the Copyright
Vice-President
Lynn D’Addesio Clearance Center; www.copyright.com.
Alexander L. Wolf P ractice
Director of Media Sales
Secretary/Treasurer
Jennifer Ruzicka Chair Subscriptions
Vicki L. Hanson
Public Relations Coordinator Stephen Bourne An annual subscription cost is included
Past President
Virgina Gold Board Members in ACM member dues of $99 ($40 of
Alain Chesnais
Publications Assistant Eric Allman; Charles Beeler; Bryan Cantrill; which is allocated to a subscription to
Chair, SGB Board
Emily Williams Terry Coatta; Stuart Feldman; Benjamin Fried; Communications); for students, cost
Erik Altman
Pat Hanrahan; Marshall Kirk McKusick; is included in $42 dues ($20 of which
Co-Chairs, Publications Board Columnists Erik Meijer; George Neville-Neil; is allocated to a Communications
Ronald Boisvert and Jack Davidson Alok Aggarwal; Phillip G. Armour; Theo Schlossnagle; Jim Waldo subscription). A nonmember annual
Members-at-Large Martin Campbell-Kelly;
The Practice section of the CACM subscription is $100.
Eric Allman; Ricardo Baeza-Yates; Michael Cusumano; Peter J. Denning;
Radia Perlman; Mary Lou Soffa; Shane Greenstein; Mark Guzdial; Editorial Board also serves as
the Editorial Board of . ACM Media Advertising Policy
Eugene Spafford Peter Harsha; Leah Hoffmann; Communications of the ACM and other
SGB Council Representatives Mari Sako; Pamela Samuelson;
C o ntributed A rticles ACM Media publications accept advertising
Brent Hailpern; Joseph Konstan; Gene Spafford; Cameron Wilson
Co-Chairs in both print and electronic formats. All
Andrew Sears
Al Aho and Georg Gottlob advertising in ACM Media publications is
Co n tact P o in ts at the discretion of ACM and is intended
Copyright permission Board Members
Board Chai rs to provide financial support for the various
[email protected] Robert Austin; Yannis Bakos; Elisa Bertino;
Education Board Gilles Brassard; Kim Bruce; Alan Bundy; activities and services for ACM members.
Andrew McGettrick Calendar items Current Advertising Rates can be found
[email protected] Peter Buneman; Erran Carmel;
Practitioners Board Andrew Chien; Peter Druschel; Blake Ives; by visiting http://www.acm-media.org or
Stephen Bourne Change of address by contacting ACM Media Sales at
[email protected] James Larus; Igor Markov; Gail C. Murphy;
Shree Nayar; Bernhard Nebel; Lionel M. Ni; (212) 626-0686.
Regional C o u nc i l C hairs Letters to the Editor
[email protected] Sriram Rajamani; Marie-Christine Rousset;
ACM Europe Council Avi Rubin; Krishan Sabnani; Single Copies
Fabrizio Gagliardi Fred B. Schneider; Abigail Sellen; Single copies of Communications of the
ACM India Council W e b S I TE ACM are available for purchase. Please
http://cacm.acm.org Ron Shamir; Yoav Shoham; Marc Snir;
Anand S. Deshpande, PJ Narayanan Larry Snyder; Manuela Veloso; contact [email protected].
ACM China Council Michael Vitale; Wolfgang Wahlster;
Jiaguang Sun Au tho r G u id elin es Comm un ication s of the ACM
http://cacm.acm.org/guidelines Hannes Werthner; Andy Chi-Chih Yao
(ISSN 0001-0782) is published monthly
Research Hig hlig h ts by ACM Media, 2 Penn Plaza, Suite 701,
Pu bl icati o n s Board
ACM Adve rt i sin g Departme n t New York, NY 10121-0701. Periodicals
Co-Chairs Co-Chairs
2 Penn Plaza, Suite 701, New York, NY postage paid at New York, NY 10001,
Ronald F. Boisvert; Jack Davidson Stuart J. Russell and Gregory Morrisett
10121-0701 and other mailing offices.
Board Members Board Members
T (212) 626-0686
Marie-Paule Cani; Nikil Dutt; Carol Hutchins; Martin Abadi; Stuart K. Card; Jon Crowcroft;
F (212) 869-0481 PO STMAST E R
Joseph A. Konstan; Ee-Peng Lim; Alon Halevy; Monika Henzinger;
Maurice Herlihy; Norm Jouppi; Please send address changes to
Catherine McGeoch; M. Tamer Ozsu; Director of Media Sales
Andrew B. Kahng; Mendel Rosenblum; Communications of the ACM
Vincent Shen; Mary Lou Soffa Jennifer Ruzicka
Ronitt Rubinfeld; David Salesin; 2 Penn Plaza, Suite 701
[email protected] New York, NY 10121-0701 USA
ACM U.S. Public Policy Office Guy Steele, Jr.; David Wagner;
Cameron Wilson, Director Media Kit [email protected] Alexander L. Wolf; Margaret H. Wright
1828 L Street, N.W., Suite 800
Washington, DC 20036 USA Web
T (202) 659-9711; F (202) 667-1066 Association for Computing Machinery Chair
(ACM) James Landay
Computer Science Teachers Association 2 Penn Plaza, Suite 701 Board Members A
SE
REC
Y

Chris Stephenson, New York, NY 10121-0701 USA Gene Golovchinsky; Marti Hearst;
E

CL
PL

Executive Director T (212) 869-7440; F (212) 869-0481 Jason I. Hong; Jeff Johnson; Wendy E. MacKay Printed in the U.S.A.
NE
TH

S
I

Z
I

M AGA

4 c ommunic atio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7

 editor’s letter

DOI:10.1145/2209249.2209250 Moshe Y. Vardi

Predatory Scholarly Publishing

Scholarly publishing is a very unique business.
In a typical business, you have two parties: sellers
and buyers. In scholarly publishing you also have
sellers and buyers, these are the publishers and
the research libraries. However, you
have two additional parties. On one
side, you have authors, who freely and
eagerly provide content (“publish or
perish”). On the other side, there are
editors and reviewers, who act as gate-
keepers. They do so for a variety of rea-
sons: sometimes for financial remu-
neration, but mostly out of civic duty
and to gain scholarly prestige.
For scholarly publishing to be suc-
cessful as a business, publishers must
convince libraries to subscribe to
their publications. Because budgets
have become tighter over the last few
years, librarians are quite resistant to
increase their subscription inventory.
The trend, in fact, is to prune, prune,
and prune. Librarians, therefore, must
be convinced of a journal’s high quality
before adding it to their subscription
inventory. This resistance by libraries
has been an important force for main-
taining quality in scholarly publishing.
Recent trends have upset this deli-
cate balance between publishers, li-
braries, authors, and editors, by freeing
publishers from the need to get librar-
ies to subscribe. Here is an example:
I regularly receive email solicita-
tions such as: “Dear Author, as a gen-
eral chair of GESTS, I am happy to
invite you for the acceptance of your
paper [sic] to be published in the
GESTS International Transactions.”
(GESTS stands for Global Engineering,
Science, and Technology Society.) The
offer even provides volume and issue
numbers. One has to read further down
the invitation to find the coy reference
to “registration fees.” Again, this may
seem like a scam, but a quick Web
search finds many bibliographies that
include publications in the GESTS In-
ternational Transactions. Apparently,
the publish-or-perish pressure creates
a market, and enterprising publishers
are keen to meet the demand. By shift-
ing the costs to authors, GESTS is freed
from dealing with librarians.
Here is another tantalizing offer:
“Dear Professor Vardi, we would like
to invite you as keynote speaker for one
of the next WSEAS Conferences.” This
may seem as a genuine invitation to a
bona fide scientific meeting, until one
encounters a sentence such as “So, our
plenary speakers can publish a mini-
mum of one paper, maximum of three
papers, without registration fees” and
“New prospective plenary speakers
must send their CV to ...” You can find
a vigorous online debate on the precise
nature of the WSEAS conferences, with
allegations that the organizer is an en-
terprising academic, providing a forum
where needy scholars can publish with-
out battling hypercritical reviewers.
So what has upset the traditional
scholarly publishing marketplace?
On one hand, digital publishing has
gained legitimacy. In fact, there are
many high-quality publications that
are published purely digitally. On the
other hand, the growing popularity of
open-access publishing popularized
the author-pays model, in which pub-
lishers obtain revenues from author
fees rather than from subscription fees.
While there is nothing inherently wrong
with the author-pays model, the remov-
al of libraries from the equation created
an unbalanced system: both publish-
ers and authors want to publish, while
libraries have little say. Editors and re-
viewers may try to uphold quality, but
their power is diminished when pub-
lishers and authors are so eager to pub-
lish. (I resigned a few years ago from the
editorial board of a prominent proceed-
ings series, foregoing an annual hono-
rarium of €6,000, when I realized quality
was declining as publishing decisions
were made by the publisher rather
than by the editorial board.) This new
imbalance in scholarly publishing has
given rise to “predatory” publishing,
whose main goal is to generate profits
rather than promote scholarship. An
informal directory of predatory pub-
lishers and journals has over 50 entries
(see http://scholarlyoa.com/).
As I have written previously, I be-
lieve the partnership that once existed
between the scholarly community and
commercial publishers is fundamen-
tally broken. Frankly, I do not under-
stand why Elsevier is practically the sole
target for the recent wrath directed at
scholarly publisher. Elsevier is no worse
than most other commercial publish-
ers, just bigger, I believe. While not all
commercial publishers are predatory
publishers, they are all primarily driven
by profits, which creates a conflict of
interest between publishers and au-
thors. The future of scholarly publish-
ing belongs to association publishing,
where the members are the publishers,
authors, editors, and reviewers, sharing
commitment to scholarship.
Moshe Y. Vardi, editor-in-chief

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i c at ion s of the acm 5

 membership application &
Advancing Computing as a Science & Profession
digital library order form
Priority Code: AD10

You can join ACM in several easy ways:

Online Phone Fax
http://www.acm.org/join +1-800-342-6626 (US & Canada) +1-212-944-1318
+1-212-626-0500 (Global)
Or, complete this application and return with payment via postal mail

Special rates for residents of developing countries: Special rates for members of sister societies:
http://www.acm.org/membership/L2-3/ http://www.acm.org/membership/dues.html
Please print clearly
Purposes of ACM
ACM is dedicated to:
Name
1) advancing the art, science, engineering,
and application of information technology
2) fostering the open interchange of
Address information to serve both professionals and
the public
3) promoting the highest professional and
City State/Province Postal code/Zip ethics standards
I agree with the Purposes of ACM:
Country E-mail address

Signature

Area code & Daytime phone Fax Member number, if applicable ACM Code of Ethics:
http://www.acm.org/serving/ethics.html

choose one membership option:

PROFESSIONAL MEMBERSHIP: STUDENT MEMBERSHIP:
o ACM Professional Membership: $99 USD o ACM Student Membership: $19 USD

o ACM Professional Membership plus the ACM Digital Library: o ACM Student Membership plus the ACM Digital Library: $42 USD
$198 USD ($99 dues + $99 DL) o ACM Student Membership PLUS Print CACM Magazine: $42 USD
o ACM Digital Library: $99 USD (must be an ACM member) o ACM Student Membership w/Digital Library PLUS Print
CACM Magazine: $62 USD

All new ACM members will receive an payment:

ACM membership card. Payment must accompany application. If paying by check or
For more information, please visit us at www.acm.org money order, make payable to ACM, Inc. in US dollars or foreign
currency at current exchange rate.
Professional membership dues include $40 toward a subscription
to Communications of the ACM. Student membership dues include o Visa/MasterCard o American Express o Check/money order
$15 toward a subscription to XRDS. Member dues, subscriptions,
and optional contributions are tax-deductible under certain
o Professional Member Dues ($99 or $198) $ ______________________
circumstances. Please consult with your tax advisor.
o ACM Digital Library ($99) $ ______________________
RETURN COMPLETED APPLICATION TO:
o Student Member Dues ($19, $42, or $62) $ ______________________
Association for Computing Machinery, Inc.
General Post Office Total Amount Due $ ______________________
P.O. Box 30777
New York, NY 10087-0777

Questions? E-mail us at [email protected] Card # Expiration date

Or call +1-800-342-6626 to speak to a live representative

Satisfaction Guaranteed! Signature


DOI:10.1145/2209249.2209251
An Integral Number and Its Consequences
P
o n d e r i n g M o s h e Y. VA RDI ’ S
Editor’s Letter “What Is an
Algorithm?” (Mar. 2012),
one should consider the fact
that in its most abstract and
tangible form an algorithm is simply
an integral number and that an inter-
pretation of an algorithm as an ab-
stract state machine reflects this truth.
A researcher or engineer can then hy-
pothesize other representations of the
algorithm’s number that might en-
hance computational efficiency.
One truly elegant notion supporting
computational theory is that each of us
can interpret a number’s symbolic rep-
resentation differently. Depending on
which lens one uses, the view might re-
veal an integer, a floating-point value, a
character in a collating sequence, or a
computational behavior (such as func-
tion, procedure, or subroutine).
Likewise, one could take the view
that an algorithm in its most abstract
state is a complete collection of all the
intangible thoughts and ideas that
generate its design, whether based on
lists of imperatives, nesting functions,
states and transitions between them,
transfer of tokens between containers
in a Petri net, or any equivalent rep-
resentation of a Turing machine. As
such, an algorithm represents these
ephemeral thoughts and ideas com-
bined, ultimately resisting definitive
and universal quantification and mea-
surement.
To gain deeper insight into the
abstractions surrounding a given al-
gorithm, one would do well to also
revisit earlier works on the topic. Pon-
dering the original intent of the early
visionaries of computing by repub-
lishing their work with critiques from
today’s leaders would be enlightening
and enjoyable. As with many advanc-
es in science, their efforts were often
met with stark criticism. However,
reassessing their intent today could
spark further refinement of modern
concepts derived from computing’s
inherently iterative and optimizing
research life cycle.
Jody Sharpe, Omaha, NE
Author’s Response:
A mathematical model tries to capture
(abstractly) the essence of the phenomenon
being modeled. From this perspective, a
person saying, “What is an algorithm?”
would not be satisfied with the answer “An
algorithm is an integral number.”
Moshe Y. Vardi, Editor-in-Chief
Give the Past Its Due
David Anderson’s Historical Reflec-
tions column “The Future of the Past”
(May 2012) made a persuasive case for
preserving computer hardware and
software artifacts. I would add that
computer science has not preserved its
paper well, either; for example, when
The American Federation of Informa-
tion Processing Societies, the parent
of both ACM and IEEE, folded in 1990,
its records, periodicals collection, and
books went to the dump, as did the
records of the Microelectronics and
Computer Technology Corporation,
or MCC, a major consortium for which
I worked in the 1980s. I welcome ef-
forts such as those led by Bruce Damer,
whose Digibarn Museum (http://www.
digibarn.com/) houses paper materi-
als, as well as working versions of vin-
tage PC hardware and GUI software.
Computer science can do even
more to preserve its legacy, encour-
aging and assisting ethnographers
to look into technology development
and use. Otherwise, future historians,
as well as computer professionals, will
be left to infer or guess how preserved
artifacts were designed, used, and ulti-
mately abandoned, much as we specu-
late today about the use of unearthed
artifacts of ancient civilizations.
Jonathan Grudin, Redmond, WA
Assignment Is Asymmetric
When discussing a mistake in the C
language, Paul W. Abrahams in his
letter to the editor “Still Paying for a C
Mistake” (Apr. 2012) concerning Poul-
Henning Kamp’s practice article “The
Most Expensive One-Byte Mistake”
ju ly 2 0 1 2 | vol . 55 | n o. 7 | c om m u n ic at ion s o f the acm
letters to the editor
(Sept. 2011) apparently fell victim to a
C fallacy when citing the “celebrated C
one-liner”
while (*s++ = *t++);
explaining its effect as “copies the
string at s to the string at t.” But in C it
is the other way round, because *s++ =
*t++ is an assignment expression that
works from right to left.1 This means
the assignment is a noncommutative
operation that in C would be represent-
ed by the symmetric symbol =, not by
an asymmetric symbol (such as := or ←).
With such a symbol this fallacy would
disappear like this
while (*s++ := *t++); or while
(*s++ ← *t++);
These one-liners also observe the de-
sign rule that “form follows function.”
Using this notation, the statement
(with the effect mentioned by Abraha-
ms) should instead be
while (*s++ =: *t++); or while
(*s++ → *t++);
 ürgen F.H. Winkler,
J
Feldkirchen-Westerham, Germany
Reference
1. Ritchie, D.M. C Reference Manual. Bell Telephone
Laboratories, Murray Hill, NJ, 1975; http://cm.bell-
labs.com/cm/cs/who/dmr/cman.pdf
Concerning the letter to the editor by
Paul W. Abrahams (Apr. 2012), saying
“C was designed with the PDP-11 in-
struction set very much in mind” con-
flicts with the fact that the C language
was based on the B language, which
was written for the PDP-7; the PDP-11
did not yet exist.
Concerning ++ and – modes, C’s
creator Dennis M. Ritchie wrote, “Peo-
ple often guess that they were created
to use the auto-increment and auto-
decrement address modes provided
by the DEC PDP-11 on which C and
Unix first became popular. This is his-
torically impossible, since there was no
PDP-11 when B was developed… Even
7
letters to the editor
the alleged similarity between PDP-11
assembly and C is apparently ‘a folk
myth,’ pure and simple, which contin-
ues propagating because it’s a handy
sound bite, not because there is any
truth to it whatsoever”; see The Develop-
ment of the C Language at http://cm.bell-
labs.com/cm/cs/who/dmr/chist.html.
Moreover, while the C statement
while (*s++ = *t++) ;
can be compiled into two lines of PDP-
11 code, the PDP-11 code given by Abra-
hams was not correct. The mov instruc-
tion moves a whole 16b word, or 2B at
a time, and is likewise not correct. The
auto-increment operator was +, not ++.
A programmer would use (R0) to point
to the character string, not (@R0). The
programmer can sometimes replace
(R0) with @R0, but this code should
not be concatenated in the manner
cited by Abrahams. It is also possible to
write @(R0)+, but its meaning is differ-
ent from what is needed here. The code
should be
A: movb (R0)+, (R1)+
bne A ;Branch if Not Equal (to zero)
However, this does not mean the PDP-
11 could not have handled a length vari-
able just as efficiently. Using R0 and R1
to hold the source and destination ad-
dresses for the string cited by Abraha-
ms, it would suffice to move the length
of the string into another register R2.
The programmer would then have
A: movb (R0)+, (R1)+
sob R2,A
The sob instruction, which was mis-
understood by some programmers,
means “Subtract One and Branch (if
equal to zero)” and was clearly quite
powerful.
Roger Caffin, Sydney, Australia
Author’s Response:
Winkler is correct; I inadvertently reversed
s and t, with s the target and t the source.
The code might have been more transparent
if I had written it as while (*t++ = *s++);
since t would indeed then stand for “target”
and s for “source.”
As for Caffin, I suppose both Poul-
Henning Kamp (Sept. 2011) and I were
8 communicatio ns o f the ac m | j u ly 201 2 | vol . 5 5 | no. 7
taken in by the folk myth, which seems
to have had wide currency. Neither of
us was aware of Dennis M. Ritchie’s
enlightening paper from the 1993 History
of Programming Languages Conference,
as Caffin usefully cited. In it, Ritchie
definitively clarified what he and Ken
Thompson were thinking: “This change
was made partially to avoid the limitation
on the length of a string caused by holding
the count in an 8- or 9-bit slot, and partly
because maintaining the count seemed, in
our experience, less convenient than using
a terminator.”
None of this negates Kamp’s main point,
on which I totally agree, that the decision to
use a terminating null rather than a length
count in representing strings was a mistake
that ultimately proved very costly.
Paul W. Abrahams, Deerfield, MA
Still Wondering Why LINQ Matters
The sole purpose of the article “Why
LINQ Matters: Cloud Composability
Guaranteed” (Apr. 2012) by Brian Beck-
man seemed to be to try to show that
LINQ is buzzword-compatible, as in
“cloud” and “RESTful Web services.”
While I agree with Beckman’s main
point—that composability and design-
ing for it are important and useful—I
object to the article’s exposition for the
following reasons:
First, it claimed LINQ is applicable
to graphs (among other things). If a
graph is to be treated as a collection,
it must first be linearized (such as
through a topological sort), but what
about cycles? Moreover, not at all obvi-
ous was that the result of a query is in-
dependent of the chosen linearization.
Without concrete examples, the article
was rather unconvincing when stating
that, say, convolutions, continuations,
and exceptions can be viewed as se-
quences usable for LINQ operators.
Second, the article was largely de-
voted to convincing the reader that a
LINQ query can be represented as an
abstract syntax tree (AST) traversable
in postorder and encodable in a uni-
form resource identifier (URI)—which
is kind of a boring, well-known fact. As
an engineer-practitioner, I object to
the idea of encoding queries in URIs
though accept it for the sake of the in-
tellectual exercise.
Third, its description of the EX-
PAND category of operators, claimed as
crucial for composability, was lacking.
For example, for the SelectMany op-
erator, I had to infer from nearby text
what SelectMany is supposed to do,
but the article’s other “examples” (one
sentence and Figure 7) contributed
nothing to my understanding of what
the category is supposed to do. Why
would “all orders from all customers”
require flattening/SelectMany
when only a single collection—or-
ders—is involved?
Finally, I disagree with the claim
that orders of arguments can ruin the
property of operator composability.
Unless Beckman expects developers to
(manually?) encode queries in URIs by
pasting in text fragments, a machine
might reconstruct an AST from a repre-
sentation with the “wrong” order of ar-
guments and use it as a starting point
for constructing the AST of another
query. Not clear is how this might af-
fect embedding in URIs, since the AST
must still be reconstructed, modified,
and reencoded.
Zeljko Vrba, Oslo, Norway
Author’s Response:
LINQ’s foundation is the monad type class
borrowed from the Haskell programming
language. A monad is an interface for
managing monoidal container structures,
including lists, sets, bags, and permutations.
LINQ does not presuppose or guarantee
order. No matter how one might linearize a
graph into, say, an ordered list or unordered
bag, LINQ will not change the given order.
As for convolutions, continuations,
and exceptions, I need only show that a
collection is monadic to show it is also
LINQable. For convolutions, under the
Fourier representation, LINQ operates
on vector spaces, which are monads. For
the continuation and exception monads
(called the Maybe monad), see Haskell
documentation http://www.haskell.org/
haskellwiki/Haskell.
Vrba and I will respectfully disagree
on the order of arguments. I grant that
machine reordering is a functional fix, but it
also introduces an extra step at the call site
I would rather avoid as a point of style.
Brian Beckman, Redmond, WA
Communications welcomes your opinion. To submit a
Letter to the Editor, please limit yourself to 500 words or
less, and send to [email protected].
© 2012 ACM 0001-0782/12/07 $15.00
Computing Reviews is on the move

Our new URL is

ComputingReviews.com

A daily snapshot of what is new and hot in computing

 The Communications Web site, http://cacm.acm.org,
features more than a dozen bloggers in the BLOG@CACM
community. In each issue of Communications, we’ll publish
selected posts or excerpts.

Follow us on Twitter at http://twitter.com/blogCACM

doi:10.1145/2209249.2209253 http://cacm.acm.org/blogs/blog-cacm

CS and Popular “computer science.”) I have heard

there is an effort to create a television

Culture; Learning From

show that features a computer scien-
tist as its hero. Television is incredibly
powerful in popular culture, and such

Console Games a show would only help to explain who

Mark Guzdial writes about why computer science should permeate
popular culture. Judy Robertson discusses the educational benefits of
using console games in the classroom.
Mark Guzdial
“The Long Road to
a Seat at the Table”
http://cacm.acm.org/
blogs/blog-cacm/107743
April 23, 2011
I recently gave a talk at the American
Educational Research Association’s
annual meeting, my first time at that
venue in more than 10 years. I spoke
for my student, Lijun Ni, about her
work studying how U.S. high school
teachers come to see themselves as
computer science teachers (which
is different than other STEM fields
since few states have CS teacher certi-
fication). In response to one of the ob-
servations about these teachers, one
of the other speakers, an education
post-doc at a top U.S. university, said,
“Maybe that’s because they’re comput-
er science teachers. Computer science,
as a discipline, is not interested in re-
search and is only interested in imme-
diate answers.” That is what scholars
in other disciplines think about com-
puter scientists?
Computer science is working hard
to be considered an equal player
among the STEM (science, technology,
engineering, and mathematics) disci-
plines. We try to get computer science
into the core curriculum alongside dis-
ciplines that are hundreds (in some
cases, more than a thousand) years
older than our own. We worry about
how people outside of our community
understand computer science. These
are well-founded worries, and I strong-
ly support these efforts. But I think a
really deep cultural understanding of
who we are will take awhile.
It takes time to permeate popular
culture the way that other disciplines
have. Sure, people’s understanding
of disciplines like engineering is not
always accurate, but it is a lot closer
than ours. Many layperson’s defini-
tion of “computer scientists” is that
we are expert at using applications
like Photoshop and Excel (unfortu-
nately, Lijun found that definition
even among some of the high school
teachers who claim to be teaching
we are and what we do. I wonder if we
should also be thinking about slower,
more pervasive ways of influencing
popular culture.
We also need the equivalent of pop
culture paperbacks about computer
science. When I was a student in high
school and an undergraduate in col-
lege, many of my classes also required
us to read some mass-culture paper-
back that connected to the class. I re-
member reading Future Shock for a high
school class and Cat’s Cradle in an un-
dergraduate engineering class (to lead
into a discussion about the unexpect-
ed effects of technological advances).
My daughter just read The Dragons of
Eden for her high school science class.
Many (maybe even most or all?) ar-
eas of science have books written for
the educated-but-not-specialist reader
about topics in that area. These books
are not textbooks, and they are not
surveys of the whole field. They are a
slice, written in approachable though
not necessarily simple prose. They can
be useful to assign in a class to get stu-
dents to think about a perspective on
the course that might not otherwise
come up, and to feed into discussions.
Where are the popular culture pa-
perback books on computer science?
There are a few. Danny Hillis’ The Pat-
terns on the Stone meets the definition.
James Gleick’s book The Information

10 com municatio ns o f the ac m | j u ly 201 2 | vo l. 5 5 | no. 7


may serve that role. Few books like
these actually contain code or describe
algorithms, the stuff that computer sci-
entists talk and think about. How many
of us CS educators actually assign these
books in class and then discuss them?
We need books like these—and
maybe not just books but also bits of
software, simulations, videos, elec-
tronic books, and active essays. We
need media that are aimed at the ed-
ucated-but-not-specialist reader with
approachable prose (maybe with other
modalities), that are not textbooks,
that do not aim to cover the whole
field, that describe a particular slice
or perspective on computer science,
and that could be assigned in a CS
class for breadth and to spur discus-
sion. We need a lot of media like this,
as much as has been written like this
about mathematics, biology, chemis-
try, physics, and other disciplines.
If we want to take our place in popu-
lar culture, we have to make the same
contributions of ideas to the broad
public and provide accessible media.
It is the long, slow road into permeat-
ing our culture the way that other dis-
ciplines do.
Reader’s Comments
I see a serious problem. Computing is both
an academic discipline and a profession
for millions of people. But the two are
not the same. It is not dissimilar to the
difference between physics and electrical
engineering. Computer science is most
often presented in a fashion that parallels
the presentation of physics. Typically, the
academic discipline of computer science
pays but little attention to the concerns of
the practicing IT professional.
We confuse our audience if we do not
clearly recognize the difference between
the academic discipline of computer science
and the practice of IT professionals. Until
we are clear about the difference, the great
unwashed masses can hardly be expected
to be clear about what it means to be either
a computer scientist or an IT professional.
—Bob Fabian
It is a great point, Bob. I think we need to
convey both to the general public. Computer
science is a fascinating, rigorous academic
discipline that is critical to innovation in our
world. Being an IT professional has aspects
of both engineering and craft. The former
is more critical for the K–12 core, in my
opinion, but both are completely appropriate
and useful to share in the “popular
paperback” kinds of representations that
might be used to reach the wider public.
—Mark Guzdial
Judy Robertson
“The Impact of
Console Games
in the Classroom”
http://cacm.acm.org/
blogs/blog-cacm/108486
May 19, 2011
Futurelab recently published a report
on the impact of console games in Scot-
tish classrooms. It contains case study
evidence from 19 schools in which pu-
pils are involved in game-based learn-
ing projects, and considers the impact
from the point of view of school lead-
ers, teachers, and pupils themselves.
I find these types of studies very inter-
esting because they are about the way
technology gets incorporated into edu-
cational practice in the everyday messy
world of schools. Most of the console
games used in the classes—Guitar
Hero, Nintendogs, Endless Ocean—were
never intended to be educational, and
certainly not in school settings. They
have been enthusiastically adopted by
teachers who happen to notice their
educational potential while playing
them at home. Contrast this to the
academic development of interactive
learning environments that may be
carefully designed to solve a specific
educational problem but are often suf-
ficiently obscure that they never see the
light of day in a classroom. The adop-
tion of common off-the-shelf games in
classrooms is characterized by evan-
gelism. Once converted, practitioners
tend to get quite overexcited by it all
and joyously sing the praises of such
projects. This might go some way to
explaining Futurelab’s bias in choos-
ing to identify the educational benefits
of console game-based learning rather
than the drawbacks or challenges.
That said, there are some inter-
esting findings in the report that go
beyond the excitement about moti-
vating learners. One is that teachers
became motivated by the projects be-
cause they could see what an impact
it had on their classes. Initially some
teachers were worried about adopt-
ing games in the classroom because
they did not see how it would fit with
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
blog@cacm
the curriculum, or they were pan-
icked about not being able to use the
technology themselves, or they were
worried about parents’ perceptions
of it. However, the experience of see-
ing their students become enthused
about and engaged with their learning
convinced many of the teachers that
the risks were worth it. From the per-
spective of keeping teachers invested
in their work and extending their pro-
fessional repertoire, managing a chal-
lenging games-based learning project
is likely to be beneficial.
A striking aspect of the classroom
projects is that the pupils typically
spend very little time actually playing
a game at school—perhaps five min-
utes, three times a week. A lot of the
classroom activities are based on a
game but do not directly involve play-
ing it, e.g., balancing a budget for your
rock band’s forthcoming tour or writ-
ing about how to best look after your
Nintendog pet. It seems like a small
amount of game playing translates to a
lot of motivational “buzz.”
Critics of game-based learning in
school sometimes argue that playing
games in school tarnishes children’s
enjoyment of games at home, that it
takes the fun out of it. The children
interviewed in these case studies com-
mented that they liked to receive sup-
port and advice from their classmates
about solving puzzles in the games,
and they liked the increased competi-
tion. They also liked being challenged
in school. Some children noticed the
titles they played at home were not as
good for learning as those at school—
perhaps the project taught them to ex-
pect more from games?
I will end with one of my favor-
ite quotes from an interview with an
eight-year-old who took part in a proj-
ect based on Cooking Mama. “I burnt
a cake at home and I learned that it’s
just life—you have to cope with it not
going right… and the topic helped us
with that and keeps us from getting
bad tempers.” Coping gracefully with
failure seems like a great skill to learn
at school whether learned through real
or virtual baked goods.
Mark Guzdial is a professor at the Georgia Institute of
Technology. Judy Robertson is a lecturer at Heriot-Watt
University.
© 2012 ACM 0001-0782/12/07 $15.00
11
 ACM
ACM’s Member
Career & Job Center News
Vinton G. Cerf Elected
ACM President
Looking for your next IT job? Vinton G. Cerf,
vice president
Need Career Advice?

and chief Internet
evangelist for
Google, was
elected president
Visit ACM’s Career & Job Center at: of ACM in the
May 2012 general election.
An ACM member since 1967,

http://jobs.acm.org
Cerf says his “primary function
will be to convey to Council and
ACM leadership the policy views
of the general membership.
To this end, I will invite open
Offering a host of career-enhancing benefits: dialogue with any and all
members of ACM so as to be
informed of their views.”
➜ A highly targeted focus on job opportunities in
The election results include:
PRESIDENT
the computing industry Vinton G. Cerf, Google
(term: July 1, 2012–June 30, 2014)
➜ Access to hundreds of corporate job postings VICE PRESIDENT
Alexander L. Wolf,
Imperial College London
➜ Resume posting keeping you connected to the (July 1, 2012–June 30, 2014)
employment market while letting you maintain SECRETARY/TREASURER
Vicki L. Hanson,
full control over your confidential information University of Dundee
(July 1, 2012–June 30, 2014)
➜ An advanced Job Alert system notifies you of MEMBERS AT LARGE
Eric Allman, Sendmail, Inc.
new opportunities matching your criteria (July 1, 2012–June 30, 2016)
Ricardo Baeza-Yates,
➜ Career coaching and guidance from trained
Yahoo! Research Barcelona
(July 1, 2012–June 30, 2016)
experts dedicated to your success Radia Perlman, Intel
(July 1, 2012–June 30, 2016)
Mary Lou Soffa,
➜ A content library of the best career articles University of Virginia
(July 1, 2012–June 30, 2016)
compiled from hundreds of sources, and much Eugene H. Spafford,
Perdue University
more! (July 1, 2012–June 30, 2016)
The number of votes polled
by each candidate:

The ACM Career & Job Center is the perfect place to President
Vinton G. Cerf 3,843
begin searching for your next employment opportunity! Barbara G. Ryder 3,727
Vice President

http://jobs.acm.org
Alexander L. Wolf 4,992
Mathai Joseph 2,361
Secretary/Treasurer
Vicki L. Hanson 4,747
George V. Neville-Neil 2,584
Members at Large
Mary Lou Soffa 5,454
Radia Perlman 5,111
Eric Allman 4,840
Eugene H. Spafford 4,739
Ricardo Baeza-Yates 4,546
Feng Zhao 3,658
P J Narayanan 3,342

12 c omm unicatio ns o f the ac m | j u ly 201 2 | vo l. 5 5 | no. 7

CareerCenter_TwoThird_Ad.indd 1 4/3/12 1:38 PM
N
news

Science | doi:10.1145/2209249.2209255 Gregory Goth

Degrees of Separation
Researchers now have the capability to look at the
small-world problem from both the traditional algorithmic
approach and the new topological approach.

T
h e i d ea of six degrees of
separation—that is, that ev-
ery person in the world is no
more than six people away
from every other person on
earth—has fascinated social scientists
and laymen alike ever since Hungarian
writer Frigyes Karinthy introduced the
concept in 1929.
For the greater public, the cultural
touchstone of the theory was the 1990
play entitled Six Degrees of Separation
by John Guare. Although the drama
was not an exploration of the phe-
nomenon by any means, it spawned
countless versions of parlor games.
For scientists, however, the wellspring
of the six degrees phenomenon, also
called the small-world problem, was
a 1967 study undertaken by social psy-
chologist Stanley Milgram, in which
a selected group of volunteers in the
Midwestern U.S. were instructed to
forward messages to a target person A study of 721 million Facebook users showed an average of 3.74 intermediaries between a
in Boston. Milgram’s results, pub- source and target user, as opposed to social psychologist Stanley Milgram’s mean of five.
lished in Psychology Today in 1967,
Image by wikipedia user Da nnie-wa lker

were that the messages were delivered
by “chains” that comprised anywhere
between two and 10 intermediaries,
with the mean being five.
In the ensuing years, the problem
has become a perennial favorite among
researchers of many disciplines, from
computer scientists exploring proba-
bilistic algorithms for best use of net-
work resources to epidemiologists
exploring the interplay of infectious
diseases and network theory.
Most recently, the vast architectur-
al resources of Facebook and Twitter
have supplied researchers with some-
thing they never possessed before—the
capability to look at the small-world
problem from both the traditional al-
gorithmic approach, which explores
the probabilities of how each person
(or network node) in a chain seeks out
the next messenger using only the lim-
ited local knowledge they possess, and
the new topological approach, which

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i cat ion s o f t he acm 13

news

can examine the entire structure of a
network as it also observes the progres-
sion of the algorithmic chains.
“It’s amazing how far we’ve come,”
says Duncan Watts, a founding part-
ner at Microsoft Research New York
City, who was until recently a senior
researcher at Yahoo! Watts is one of
the world’s leading authorities on the
small-world problem, dating to the
publication of “Collective Dynam-
ics of ‘Small-world’ Networks,” co-
authored with Steven Strogatz, in Na-
ture in 1998. At that time, Watts says,
the largest available network, actors
listed in the Internet Movie Database,
contained about 225,000 edge nodes
(individual actors). A recent study by
researchers from Facebook and the
University of Milan, however, looked
at 721 million Facebook users, who
had 69 billion unique friendships
among them, and revealed an aver-
age of 3.74 intermediaries between a
source and target user, suggesting an
even smaller world than Milgram’s
original study showed.
“In fact, the whole motivation of the
thing I did with Strogatz was precisely
that you couldn’t do the exercise Face-
book just did,” Watts says. “Now the
empirical exercise is possible. That’s a
remarkable change.”
A Similarity of Results
One must consider the large variety of
online communities and compare the
small-world experiments performed
on them to Milgram’s method—send-
ing a message via terrestrial delivery
routes—in order to fully appreciate the
similarity of results across the board.
While the Facebook experiment yield-
ed approximately four degrees of sepa-
ration, work by distinguished scientist
Eric Horvitz of Microsoft Research and
Stanford University assistant profes-
sor Jure Leskovec, on connections be-
tween users of the Microsoft Instant
Messaging network, yielded an average
6.6 degrees of separation between any
two users. In their 2009 paper “Social
Search in ‘Small-world’ Experiments”
examining the algorithmic approach,
Watts, Sharad Goel, and Roby Muha-
mad discovered that roughly half of
One ironic factor
in examining
the small-world
problem as online
communities grow
ever larger is that
the experiments’
attrition rates are
also vastly greater
than in the past.
all chains can be completed in six or
seven steps, “thus supporting the ‘six
degrees of separation’ assertion,” they
wrote, “but on the other hand, esti-
mates of the mean are much longer,
suggesting that for at least some of the
population, the world is not ‘small’ in
the algorithmic sense.”
Discovering the reason why “the
world is not ‘small’ in the algorithmic
sense” presents a wide swath of fertile
ground for those researchers, includ-
ing Watts and Leskovec, who are still
plumbing the many vectors of net-
work navigation.
One ironic, or counterintuitive,
factor in examining the small-world
problem as online communities grow
ever larger is that the experiments’
attrition rates are also vastly greater
than in the past. For instance, Watts
says only 12% of those who signed up
for a joint small-world experiment at
Yahoo! and Facebook completed their
chains, compared with 75% of those
who participated in Milgram’s ex-
periment and the 35% who completed
chains in a 2001–2002 experiment
run by Watts.
However, Watts says the data they
have should allow them to still answer
the questions they care about most,
which is exploring the efficiency of in-
termediary connections selected.
“We know how far you are from
the target, Facebook knows how far
your friends are from the target, and
we know who you picked, so we can
establish whether you made the right

Science

Quantum Mechanics Increases Randomness

A partially random string of
digits can be “amplified” into
total randomness, according to
a pair of theoretical physicists in
Switzerland.
Commercial random
number generators such as
a beam splitter can send a
photon through one of two slits,
generating either a 0 or a 1.
But if someone has tampered
with the generator so its output
is not perfectly random, the
individual could theoretically
deduce patterns in the output
and thus break the code. “Can
we turn this into a source of
perfect random numbers?” asks
Roger Colbeck of the Institute
of Theoretical Physics at ETH
Zurich. As Colbeck and fellow
ETH Zurich physicist Renato
Renner explain in an online
publication that appeared
last May in the journal Nature
Physics, “Provided the adversary
doesn’t know too much, the
answer is yes.”
The solution relies on
entanglement, the fact that
two particles can be tied
together in such a way that
measuring a physical property
of one immediately provides a
measurement of the other, even
if they are widely separated.
Using the partially random
numbers to decide which
property to measure—the angle
of polarization of a photon,
say—and then assigning a 0 or
1 based on the outcome of that
measurement, produces a truly
random sequence.
If a high enough proportion
of the initial sequence is not
random, that affects the final
sequence in a detectable way.
The ETH Zurich researchers
can run a statistical analysis
of the outcomes of their
measurements and if the
distribution of outcomes strays
too far from the distribution
predicted by quantum
mechanics, they know the
system is unreliable.
Colbeck would like to
find a way to generate perfect
randomness starting with
even tiny amounts of initial
randomness. That would
probably require performing
another, more complicated
procedure, but just what
that might be, the researchers
do not yet know.
—Neil Savage

14 comm unicatio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7


choice,” Watts says. “So we can get the
most science out of it, it’s just a little
bummer that the attrition was so bad.”
The logic behind finding the most
efficient paths may produce payoffs
unforeseen for both theoretical mod-
eling and production networks such
as search engine optimization. Find-
ing the best ways to determine those
paths, though, will necessitate a leap
from the known models of small-world
networks to a better understanding of
the intermediary steps between any
two endpoints of a chain.
Leskovec says, given constants from
graph theory, the diameter of any given
network will grow logarithmically with
its size; that is, the difference between
five and six degrees of separation man-
dates a graph an order of magnitude
larger or denser. Jon Kleinberg, Tisch
University professor in the department
of computer science at Cornell Univer-
sity, whose “The Small-World Phenom-
enon: An Algorithmic Perspective” is re-
garded as one of the problem’s seminal
modeling documents, says this basic
property is precisely what makes the
small-world theory so appealing while
also presenting the research communi-
ty the greatest challenge inherent in it.
“It’s something that still feels coun-
terintuitive when you first encounter
it,” Kleinberg says. “It makes sense in
the end: I know 1,000 people and my
friend knows 1,000 people—and you
don’t have to multiply 1,000 by itself
too many times for it to make sense.”
However, this logarithmic progres-
sion also precludes the ability to ex-
amine or design intermediate levels
of scale, Kleinberg says. “We thought
the right definition of distance was
going to be ‘Here I am, and how many
steps do I have to go to get to you?’
but that turns out not to be. We need
some other measure and I think that
remains an interesting open question,
that people are actively looking at: Is
there some kind of smoother scale
here? Who are the 10,000 people clos-
est to me? The 100,000?
“We need a much more subtle way
to do that and it is going to require
some sophisticated mathematical
ideas and sophisticated combination-
al ideas—what is the right definition of
distance when you’re looking at social
networks? It’s not just how many steps
I have to go. That’s an important ques-
“What is the right
definition of distance
when you’re looking
at social networks?”
asks Jon Kleinberg.
“It’s not just
how many steps
I have to go.”
tion in everyday life and when you’re
designing some online system.”
Mozart Meets The Terminator
Recent research is beginning to use the
short-path principles of social search
in the online systems discussed by
Kleinberg. In “Degrees of Separation
in Social Networks,” presented at the
Fourth International Symposium on
Combinatorial Search 2011, research-
ers from Shiraz University, Carnegie
Mellon University, and the University
of Alberta designed a search algorithm,
tested on Twitter, intended for uses be-
yond social search.
For example, they reported in Voice
over Internet Protocol (VoIP) networks,
when a user calls another user in the
network, he or she is first connected
to a VoIP carrier, a main node in the
network. The VoIP carrier connects the
call to the destination either directly
or, more commonly, through another
VoIP carrier.
“The length of the path from the
caller to the receiver is important since
it affects both the quality and price of
the call,” the researchers noted. “The
algorithms that are developed in this
paper can be used to find a short path
(fewest carriers) between the initial
(sender) and the goal (receiver) nodes
in the network.”
These algorithms, such as greedy
algorithms enhanced by geographic
heuristics, or probabalistic bidirection-
al methods, have the potential to cut
some of the overhead, and cost, of net-
work search sessions such as the sam-
ple VoIP session, the authors believe.
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
news
Leskovec’s most recent work based
on small-world algorithms explores
the paths that humans take in connect-
ing concepts that, on the surface, seem
rather disparate, such as Wolfgang
Amadeus Mozart and the Termina-
tor character from the science-fiction
films starring Arnold Schwarzenegger.
“As a human, I sort of know how
the knowledge fits together,” Lesk-
ovec says. “If I want to go from Mozart
to Terminator and I know Mozart was
from Austria and Schwarzenegger was
from Austria, maybe I can go through
the Austrian connection. A computer
that is truly decentralized has no clue,
it has no conception that getting to
Schwarzenegger is good enough.”
Interestingly enough, Leskovec
says, computers fared better than
humans on average on solving such
search chains, but humans also were
less likely to get totally lost and were ca-
pable of forming backup plans, which
the Web-crawling agents could not do.
Effectively, he says, the payoff of such
research is “understanding how hu-
mans do this, what kind of cues are we
using, and how to make the cues more
efficient or help us recognize them, to
help us understand where we are, right
now, in this global network.”
Further Reading
Backstrom, L., Boldi, P., Rosa, M.,
Ugander, J., and Vigna, S.
Four degrees of separation, http://arxiv.org/
abs/1111.4570, Jan. 6, 2012.
Bakhshandeh, R., Samadi, M.,
Azimifar, Z., and Schaeffer, J.
Degrees of separation in social networks,
Proceedings of the Fourth International
Symposium on Combinatorial Search,
Barcelona, Spain, July 15–16, 2011.
Goel, S., Muhamad, R., and Watts, D.
Social search in “small-world”
experiments, 18th International World
Wide Web Conference, Madrid, Spain,
April 20–24, 2009.
Kleinberg, J.
The small-world phenomenon: an
algorithmic perspective, 32nd ACM
Symposium on Theory of Computing,
Portland, OR, May 21–23, 2000.
West, R., and Leskovec, J.
Human wayfinding in information networks,
22nd International World Wide Web
Conference, Lyon, France, April 16–20, 2012.
Gregory Goth is an Oakville, CT-based writer who
specializes in science and technology.
© 2012 ACM 0001-0782/12/07 $15.00
15
news

Technology | doi:10.1145/2209249.2209256 Gary Anthes

HTML5 Leads
a Web Revolution
Propelled by a proliferation of mobile devices and social networks,
an enhanced family of Web specifications is bringing new power
to developers and new capabilities to users.

D
evelopers of softwarefor the
World Wide Web say the new
HTML5 standard is revolu-
tionizing the way the Web
evolves, works, and is used.
It is simplifying the work of program-
mers, harmonizing access to diverse
devices and applications, and giving
users amazing new capabilities, they
say. Yet, HTML, the HyperText Markup
Language, is just a way to tag parts of
a document so that Web browsers can
deal with them intelligently.
How could a humble mechanism
for tagging Web pages have such a
big impact? Is the hype surrounding
the fifth version of HTML just a lot of
geeky noise? And why should comput-
er professionals care about it, anyway?
The hype is justified; the difficulty
lies in the definition because HTML5
is both a single specification and a
whole set of technologies.
While the markup language has
for more than two decades remained
at the core of Web software, HTML5
is most often thought of broadly to
include new versions of the markup
language itself and its associated
standard for accessing and manipu-
lating HTML documents, the Docu-
ment Object Model; Cascading Style
Sheets (CSS), a language to define the
presentation and appearance of an
HTML document; and the JavaScript
scripting language. The term is often
used even more broadly to include
specific application programming
interfaces (APIs), such as those that
enable new browser-based graphics,
geolocation, local storage, and video
capabilities.
And HTML5 is at the heart of the
World Wide Web Consortium’s (W3C’s)
Open Web Platform, an umbrella term
that changes over time and that refers
to the markup language and various
technologies that pertain to it.
Indeed, the popular definition of
HTML has expanded and matured as
the Internet has grown more powerful
and its reach has increased, says Ian Ja-
cobs, editor of the W3C’s HTML4 recom-
mendations and other standards. “The
Web over 20 years has developed from
a Web of more-or-less static documents
to, now, a platform for applications.”
There are two driving forces behind
this evolution, Jacobs says. First is the
proliferation of diverse devices that,
coupled with the variety of browsers,
greatly complicate life for developers,
who want to “write once and deploy ev-
erywhere.” Second, he says, “the Web
has now embraced the social network-
ing model, and when you can tap into
that, you can reach many more custom-
ers.” In some cases, hundreds of mil-
lions of more customers.
A Developer-Friendly Standard
Ocupop, a graphics and Web design
and marketing firm, has begun us-
ing HTML5 for all its Web work. Not
all of the highly touted features in the
umbrella standard are strictly speak-
ing “new,” says Matthew McVickar, a
Web developer and usability designer
at Ocupop. “They are codifications of
techniques used in the past. It takes
stuff that developers were trying to do,
or wanted to do, and made them into
stuff that’s natively supported in the
browser.” For example, he says, HTML5
has a standard JavaScript interface for
Screensh ots courtesy of mobile- pat t erns.co m

geolocation, so that a Web browser on

a mobile device can access GPS data
without invoking a custom-written API
to a GPS device or application.
That may not be apparent to the end
user, but it is a big deal for software
developers. Developers can, by writing
to HTML5, enable transparent access
Thanks to HTML5, developers can now enable transparent access to geolocation information to geolocation information without
without having to write separate code for each browser and device. having to write separate code for each

16 comm unicatio ns o f the ac m | j u ly 201 2 | vo l. 5 5 | no. 7


browser and device. It is exactly what a
standard is intended to do.
Similarly, CSS3, the newly updated
presentation language, allows a devel-
oper to produce certain looks natively
in the browser, without constructing
them externally—say, in Photoshop—
and then importing them. For exam-
ple, a heading can be given a text shad-
ow quickly and easily in the browser,
and it can be changed “on the fly,” says
McVickar. “It’s a huge timesaver.”
McVickar notes the new standards
are providing a useful catalyst for ven-
dors eager to take advantage of the
Web’s latest capabilities. “The browser
vendors are falling all over themselves
to develop their browsers as quickly and
as cutting edge as they can,” he says.
In a feature referred to as “local stor-
age,” HTML5 allows persistent storage
of structured session data on the Web
client. Unlike cookies, which can only
efficiently store data in small amounts
and have other technical limitations,
this capability allows the storage of large
amounts of data for access later when a
connection to a Web server may not be
possible or desirable. And HTML5 sup-
ports richer graphics, such as native
support for embedded Scalable Vector
Graphics, and the raster-based Canvas
that enables users to draw 2D and 3D
graphics in a Web page using JavaScript.
Tighter Specs
The new specifications are a big help
to the vendors, agrees Ian Hickson, a
software engineer at Google and the
company’s liaison with W3C and the
Web Hypertext Application Technology
Working Group (WHATWG). WHATWG
is a complementary standards body
founded in 2004 by Hickson, then at Ap-
ple, and others from Apple, the Mozilla
Foundation, and Opera Software. “One
of the most important strides we’ve
made with the HTML effort has been
the significant increase in the quality
of our specifications,” says Hickson. “It
used to be that the specs were pretty
vague; two browser vendors could im-
plement the same specs and honestly
claim compliance without those brows-
ers truly being compatible. Now, the
specs are so detailed that if you imple-
ment the spec as written you really will
be compatible with all the other brows-
ers and with all the content that already
exists. This has been a huge amount of
The newly updated
presentation
language CSS3
allows a developer
to produce certain
looks natively in
the browser without
constructing them
externally and then
importing them.
work, but it’s critically important stuff.”
Still, although it is being deployed
now, HTML5 is not a finished standard,
and its adoption varies by company and
industry. For example, it does not spec-
ify a single standard for video compres-
sion (codec), streaming protocol, or
digital rights management (DRM). The
industry was well on the way toward
adopting Adobe Flash as a de facto
standard for video until Apple in 2010
declared its iPhone and iPad would not
support Flash but would employ Ap-
ple’s own collection of Web technolo-
gies, including HTML5. Meanwhile,
Microsoft and Google have their own
not entirely compatible approaches to
video, and different browsers support
different audio and video codecs. So,
software developers still must accom-
modate multiple methods if they want
to have comprehensive coverage.
Hui Zhang, an Internet specialist
and computer science professor at
Carnegie Mellon University, explains
that “HTML5 has tremendous momen-
tum, but it’s not 100% supported across
all browsers because it’s not a standard
yet. Many vendors are contributing
to the process.” The challenge is not
unique to video, he notes. Vendors see
the advantages of standards for them-
selves and their customers, but at the
same time they strive to differentiate
their products for competitive advan-
tage. “You want to get a bigger share of
the pie,” he warns. “But if you are too
greedy, the pie is destroyed.”
Zhang is keenly interested in video
as a cofounder of Conviva Inc., a firm
ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n i c at ion s o f t he acm
news
developing products to improve the vi-
sual quality of Internet video. He says
video is the most complex of Internet-
borne information and that vendors’
technologies for codecs, streaming
protocols, and DRM will be “the slow-
est to converge” to standards.
Officially, HTML5, when narrowly
defined as the hypertext markup lan-
guage specification, is on track to
become a full specification and an of-
ficial recommendation by the W3C in
2014. “But the individual specifica-
tions are at different maturity levels
and will become standards at different
times,” the W3C’s Jacobs says.
Philippe Le Hégaret, interaction do-
main lead at the W3C, says, “It is not a
product where we say, ‘OK, now we are
done.’ The scope keeps increasing.”
It includes about 60 APIs now, and re-
quests for additions keep coming in,
he says. For example, the W3C recently
received a request to include support
for conversion between speech and
text inside the Web browser, a request
that is under consideration.
“There’s a near-infinite volume of
things that the Web doesn’t support
yet,” says Google’s Hickson. Asked
about HTML6, he says, “HTML is just
HTML, we [WHATWG] dropped the
number early last year. It’s just con-
tinuously developed, like the browsers.
Development of HTML will just pro-
ceed until HTML is dead.”
Further Reading
Bidelman, E., et al.
HTML5 Rocks, http://www.html5rocks.com.
Khan, S.
HTML5 unleashed: tips, tricks and
techniques, http://www.w3avenue.com,
May 7, 2010.
Lawson, B. and Sharp, R.
Introducing HTML5, 2nd Edition,
New Riders Press, Berkeley, CA, 2011.
Web Hypertext Application
Technology Working Group
HTML–Living Standard,
http://www.whatwg.org/specs/web-apps/
current-work/multipage.
World Wide Web Consortium
HTML5—A vocabulary and associated APIs
for HTML and XHTML, Editor’s Draft, May
8, 2012, http://dev.w3.org/html5/spec/
Overview.html.
Gary Anthes is a technology writer and editor based in
Arlington, VA.
© 2012 ACM 0001-0782/12/07 $15.00
17
news

Society | doi:10.1145/2209249.2209257 Marina Krakovsky

Patently Inadequate
The biggest change to U.S. patent law in nearly 60 years
brings many changes, but fails to solve the software industry’s
most vexing problems.

W
ell before President
Obama signed the Lea-
hy-Smith America In-
vents Act (AIA) into law
last September, the bill
was already being hailed as the biggest
overhaul to U.S. patent law since 1952.
Promising to spur innovation, shorten
application backlogs, and curtail legal
costs, the bipartisan bill easily passed
both houses of Congress. But despite
grand aims, lawmakers did not rebuild
the patent law from the ground up. In-
stead, they assembled a hodgepodge
of compromises, particularly between
the interests of large software compa-
nies, for whom patents have largely
been a net drain, and those of biotech-
nology firms, which favored strong
patent protection. To the bill’s mild-
est critics, AIA did not go far enough President Obama signed the America Invents Act into law on September 16, 2011, at Thomas
in meeting the needs of the software Jefferson High School for Science and Technology in Alexandria, VA.
industry. To bigger detractors, the
new law is even worse than the old Although the full implications are thorn in its side. Consider, for exam-
system—it is the legislative equivalent not known, most experts agree on ple, the Texas case earlier this year in
of spaghetti code, a jumble of rules which handful of changes will have which World Wide Web inventor Sir
whose meaning and implications will the greatest impact on the software in- Tim Berners-Lee testified for the de-
take judges and intellectual property dustry, for which the threat of patent- fense against a group of plaintiffs who
(IP) lawyers years to untangle. infringement claims has long been a claimed that anyone using interactive
“This law is what the British call a Web features was trampling on their in-
‘dog’s breakfast’—a little bit of every- tellectual property. Though interactive
thing,” says University of California– One of the biggest features seem obvious to Internet pro-
Irvine law professor Dan Burk, who grammers today and have been a main-
testified during Congressional delib- and most positive stay of Web sites for years, the ease of
erations last March. Unfortunately, changes with the both patenting and suing made it easy
Photogra ph by Rex Features (144352 8G) Unit ed States VIA Ap i mages

Burk says, the lawmakers’ attempts
to reconcile competing aims led to
provisions that have not been tested
in other countries. “None of this new
stuff has ever been seen anywhere
on the planet Earth before,” he says.
“This is brand-new stuff that they
made up in the halls of Congress, so
nobody really knows what it means
or how a lot of it is going to turn out.
As a consequence, I’m guessing we
have 20 years of litigation ahead of us
before we know what the rules of the
game are.”
for holders of two older patents to try
America Invents Act wringing money out of anyone using in-
is the establishment teractive elements. (The plaintiffs lost.)
The overwhelming majority of patent
of prior-user disputes never actually go to trial, but
rights as a defense even settling lawsuits is expensive. Un-
der the old law, Burk says, “a patent
against patent holder could sue, offer to settle for $1.5
infringement suits. million, and walk away with a nice pile
of cash without putting the patent sig-
nificantly at risk. It was cheaper for the
defendant to pony up the $1.5 million.”
This problem will not go away un-
der the new law, but some of the law’s

18 com municatio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7


changes will help at least somewhat.
One of the biggest and most positive
changes is the establishment of prior-
user rights as a defense against patent
infringement suits. “There are thou-
sands and thousands of examples of
software used by companies for making
things,” explains law professor John Al-
lison of the University of Texas–Austin.
In many other countries, patent laws en-
able companies to keep such internally
used techniques a trade secret without
worrying that they would be on the hook
for patent infringement if someone else
decided to patent the same technique.
In the U.S., on the other hand, “under
the old law you could lose your ability to
use technology that you invented,” says
John Duffy, a law professor at the Uni-
versity of Virginia School of Law.
The AIA’s introduction of the prior-
user defense changes all of that. Es-
pecially given the costs of patenting,
firms will likely have less incentive to
disclose their inventions under this
new provision, so the upshot could
well be fewer patent filings and more
trade secrecy. Even so, only time will
tell whether companies will increase
investment in technologies that they
will not be patenting, says Allison, an
empirical legal scholar.
First to Disclose
Another major change, which like the
prior-user defense tries to harmonize
America’s patent process with that
of the rest of the world, is the much-
discussed move from a first-to-invent
system to a first-inventor-to-file sys-
tem. The old system was a recipe for
priority disputes (called interferences)
because if two people working inde-
pendently both filed for a patent, there
was a question of who was the first to
invent. “Those proceedings were very
messy and hard to resolve because
people didn’t document very well what
they were thinking on a given day,”
says John Marshall Law School profes-
sor Richard Gruner, who directs the
school’s Center for Intellectual Prop-
erty Law. The new law aims to ward off
such contests by creating a bright-line
rule—priority would simply go to the
first person to file the patent.
But in practice things will not be
so clear-cut, says Burk. With the new
law, he says, “we’re neither first-to-
invent nor first-to-file. What we really
news
are now is ‘first-inventor-to-disclose.’” Legal
That is because the law gives inventors
Jim Gray
up to a year to file a patent after pub-
licly disclosing the invention. “That
then blocks everybody out for a year.”
An unintended consequence of this,
Declared
Burk believes, will be an impetus to
game the system, especially around the Dead
March 16, 2013 changeover to the new
system, with software developers and On a clear and sunny day
in January 2007, Jim Gray
their lawyers strategizing about when disappeared with his 40-foot
to disclose an invention and when to yacht Tenacious off the coast
file a patent. The law is not retroactive: of San Francisco. Despite an
exhaustive search, neither Gray
Patents filed before the March change-
nor the vessel was ever found.
over will be subject to the old system, Under California law, a person
so anyone with a patentable idea today cannot be legally declared
faces the tough decision of whether to dead until five years following a
disappearance.
file now or to delay for the sake of fall- A California court granted
ing under the new system. Burk says Gray’s death certificate on
he is already seeing this kind of head- May 16. He was 63 when he
scratching among some companies’ vanished while heading out to
the Farallon Islands to spread
in-house counsel. The rules of the his mother’s ashes at sea.
game are even more muddled by the “I don’t focus on the mystery—
fact that the law does not actually de- it’s a problem that could not
be solved and that’s extremely
fine the term “inventor,” he says. frustrating for those in the
Despite the one-year grace period, computing sciences arena,”
most experts predict the change from says Donna Carnes, his widow.
a first-to-invent system will spur a rush “I have had to learn to accept
the situation. But this does
to the patent office, which could mean a bring closure to a long and
pile of hasty, slapdash applications and, difficult event.”
most likely, an even bigger edge than Gray was instrumental in
developing several important
ever for corporate giants with the means
database and transactional
to hire teams of pricey IP lawyers. systems, including IBM’s
Some say that to compete with over- System R, which served as a
seas patent applicants the larger com- building block for SQL. Gray
also helped develop granular
panies were already thinking in terms database locking and widely
of first-to-file even before the new law. used OLAP cubes. He played a
As Gruner puts it, “Any company that key role in building Microsoft’s
filed [later than others] in Europe or Virtual Earth platform as
well. Gray received the ACM
Japan was already out of luck in those A.M. Turing Award in 1998
systems.” But the AIA’s expansion of “for seminal contributions
what counts as “prior art” that can be to database and transaction
processing research and
used to invalidate a patent creates new technical leadership in system
incentives to file early and often. This implementation.”
expansion, of course, also means it The news that Gray’s yacht
will be harder to obtain a patent, since was missing sent shock waves
through the computer science
more prior art will mean that fewer community. Many of Gray’s
new patent applications will pass the colleagues and friends—from
novelty and non-obviousness tests. Amazon, Google, IBM, NASA,
Oracle, and Microsoft, where he
worked as a Technical Fellow
Weeding Out the Worst when he disappeared—poured
Just about everyone agrees the AIA will their knowledge and expertise
do away with the very worst patents. “A into the search.
“At this point I am simply
lot of people in the software industry grateful for the time I had
complain about obvious patents being with Jim,” says Carnes. “He
issued,” says the University of Virginia’s made enormous contributions
Duffy, adding that obvious or non-novel to the world and those around
him. I am hoping that this
patents increase costs without improv- event brings a bit of peace
ing business conditions. “If there are to everyone.”
a lot of bad patents, that’s like stupid —Samuel Greengard
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he ac m 19
news

regulation—the kind of thing trade or-
ganizations lobby to prevent.” There-
fore, even though Duffy is wary of big
government (and concerned the AIA
may have given the U.S. patent office
the fee-setting power to bloat itself),
he is glad to see new ways for anyone to
challenge bad patents directly through
the patent office rather than the courts.
That opens up the possibility of com-
munal policing—a kind of crowdsourc-
ing of the work of weeding out bad pat-
ents, which could drive down the costs
of maintaining high patent quality. But
like other legal scholars, Duffy is hesi-
tant to make predictions until the evi-
dence comes in. “It’s not at all clear that
it’ll reduce costly litigation,” he says.
“That’s the hope, not proven reality.”
It is also not clear that getting rid of
only the worst patents will do much to
slow large firms’ current patent arms
race that, most recently, spurred Apple,
Microsoft, and Google to pay billions of
dollars to acquire arsenals of patents
from Nortel and Motorola. This Cold
War-like strategy of mutually assured
destruction may be an effective de-
fense against lawsuits and injunctions
to stop selling products, but every dol-
lar spent stockpiling patents is a dollar
not spent on innovation. Improving
patent quality should help relieve this
problem, and the law aimed to make
it easier to challenge bad patents, says
Ted Sichelman, a former software en-
trepreneur who is now a professor at
the University of San Diego School of
Law. “But those provisions were wa-
tered down in the final bill.”
The America Invents
Act’s expansion of
what counts as
“prior art” that can
be used to invalidate
a patent will create
new incentives to
file early and often.
What about patent trolls, the so-
called “non-practicing entities” (NPEs)
that profit from settlements in nui-
sance suits against software companies
that actually develop and sell products?
Such legalized shakedowns are another
bane to the industry, particularly to
large corporations, so the patent-troll
problem was a major impetus for pat-
ent reform. Yet only the new joinder
provisions, meant to limit plaintiffs’
ability to target multiple defendants in
a single lawsuit, are likely to make any
kind of dent in that problem. “Suppose
you have a piece-of-junk patent,” ex-
plains Sichelman, “and the odds of you
winning a [patent infringement] law-
suit are pretty low; but you know it will
cost everyone involved $50,000, and in
patent cases it’s hard to get attorneys’
fees back. So the old model was to sue a
bunch of companies at once.”
The new joinder provisions change
the NPEs’ cost-benefit analysis, since
plaintiffs will no longer be able to inex-
pensively target additional defendants.
The marginal cost of filing separate
lawsuits is not huge, either, but the
new math means the NPEs will not be
suing willy-nilly.
It is possible the law will have posi-
tive effects on the larger economy, but
probably not in ways the bill’s support-
ers would want. When reporters called
Irvine’s Burk for a comment on Senator
Patrick Leahy’s claim that the AIA would
create 200,000 new jobs, Burk was quick
to offer a quip. “I said, ‘Yeah, for patent
lawyers.’ If I were running I business, I
wouldn’t be so excited about it.”
Further Reading
Crouch, D. and Rantanen, J.
Patently-O blog, www.patentlyo.com.
Coyne, P.J.
The America Invents Act: How does it
strengthen the patent system? Bloomberg
BNA’s Patent, Trademark & Copyright
Journal, Oct. 28, 2011.
Durham, A.
Patent Law Essentials: A Concise Guide,
Praeger, Westport, CT, 2009.
Hawley, J.J.
Patent Law Forum: America Invents Act,
http://youtu.be/P383R9MFtiE, March 12, 2012.
Pressman, D.
Patent It Yourself, Nolo, Berkeley, CA, 2011.
Based in San Francisco, Marina Krakovsky is the
co-author of Secrets of the Moneylab: How Behavioral
Economics Can Improve Your Business.
© 2012 ACM 0001-0782/12/07 $15.00

Milestones

Computer Science Awards

The Technology Academy of
Finland, Royal Society, National
Academy of Sciences, and
Cambridge Center for Behavioral
Studies recently honored leading
computer scientists.
Millennium Technology
Prize
The Technology Academy of
Finland named Linus Torvalds
as one of the two laureates for
its 2012 Millennium Technology
Prize. (The other laureate is
Dr. Shinya Yamanaka who
was recognized for his work
on pluripotent stem cells.)
Torvalds received the award in
recognition “of his widely used
Linux kernel and the creation
of a new open source operating
system for computers.”
Royal Society Fellows
The Royal Society named
Alan Bundy, professor of
automated reasoning, School
of Informatics, University of
Edinburgh, as a 2012 Fellow for
his “world-leading contributions
to both automated reasoning
and the automated formation
and evolution of representations
of knowledge.”
National Academy
Members
The National Academy of
Sciences elected 84 new
members and 21 foreign
associates from 15 countries
in recognition of their
distinguished and continuing
achievements in original
research. Among those elected
is Barbara Liskov, Institute
Professor, Massachusetts
Institute of Technology.
Loebner Prize
The Cambridge Center for
Behavioral Studies awarded the
2012 Loebner Prize to Mohan
Embar, a software consultant
based in Milwaukee, for the
performance of his chatbot,
Chip Vivant, which was voted
to be the most humanlike
conversationalist.
—Jack Rosenberger

20 comm unic atio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7


History | doi:10.1145/2209249.2209258 Paul Hyman
Lost and Found
Researchers discover computer pioneer Konrad Zuse’s
long-forgotten Z9, the world’s first program-controlled binary relay
calculator using floating-point arithmetic.
W
hen researchers stum-
bled across the Zuse Z9
in the storage room of
a Swiss museum two
years ago, they initially
did not recognize the significance of
what they had found. In fact, the Z9
was unknown even to many historians
of computing.
But they soon came to realize what
they had uncovered: The world’s first
workable program-controlled binary
relay calculator using floating-point
arithmetic, which was the creation of
computer pioneer Konrad Zuse, whose
100th birthday they were celebrating.
A German civil engineer, Zuse had
created the world’s first functional,
program-controlled Turing-complete
computer, the Z3, in 1941. That same
year he founded one of the earliest
commercial computer companies,
which produced the Z4, the world’s
first commercial computer. And in
1946, he designed the first high-level
programming language, Plankalkül.
He founded another company, Zuse
KG, in 1949 and developed the Z9 for
Remington Rand Zurich and other
large companies. The Z9 consisted of
a processor, an input and output unit,
and a rectifier, and was embedded in
a group of punch card machines. The
Z9 was Zuse KG’s first relay calculator
manufactured in series, with delivery
starting in 1953. Some 20 to 30 Z9s
were manufactured.
The confusion surrounding the Z9
stems in part from the fact that Kon-
rad Zuse describes the machine in
Photogra ph by A P- Photo/ Karsten T hielker
his memoirs but never refers to it by
name. According to his writings, the
Z9 was able to perform all four basic
arithmetic operations, among oth-
ers. The calculating punch was used
mostly for office work but also for en-
gineering tasks.
However, all but one of the Z9s has
apparently been destroyed, according
Konrad Zuse tinkers with a reproduction of
an early mechanical computer in 1980.
to Herbert Bruderer, a lecturer in the
department of computer science at
ETH Zurich, who has written a book,
Konrad Zuse And Switzerland: Who In-
vented The Computer?, about Konrad
Zuse and other early computer pion-
neers and their inventions.
On June 22, 2010, Konrad Zuse’s
100th birthday, the Zurich newspaper
Tages-Anzeiger published an article by
Bruderer about Zuse, who had died in
1995, and the Z4. “Two days later, I got
a phone call from Josef Steinmann,
who lives near Lucerne, [Switzerland]
who told me about the existence of
the Z9 and his experience with the ma-
chine,” Bruderer recalls.
Steinmann is one of the few living
Z9 users, having worked on the tech-
nical staff of Remington Rand Zurich
from 1956 to 1960. “Together we start-
ed looking for other eyewitnesses,”
says Bruderer. “We found five.”
One, electronic engineer Ernst In-
auen, began working at Remington
Rand Zurich in 1958, spending most of
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t he ac m
news
his time programming and maintain-
ing the Z9. Another, electrician Max
Forrer, was the technician in charge of
the Z9 at a Swiss spinning and weaving
company from 1956 to 1968. The ma-
chine was mostly used to keep track of
the salaries of the company’s 700 em-
ployees, print invoices, manage inven-
tory, and create sales reports.
“The Z9 was very expensive to main-
tain,” Forrer recalls, “and had many
problems necessitating having a tech-
nician in the company.” He remembers
being sent to Zurich for six months
where he met Konrad Zuse, who over-
saw his training.
During his search for eyewitnesses,
Bruderer talked to many Remington
Rand customers and to museums in
Switzerland and abroad to find surviv-
ing machines.
But, to Bruderer’s surprise, the
curator of the Museum für Kommu-
nikation in Berne contacted him to
say that, in 2010, it had acquired a Z9
from the Technorama, which had re-
cently divested itself of its computer
collection. The Z9 now resides in the
museum’s main repository.
Zuse KG built a total of 251 com-
puters by 1967, but suffered financial
problems. It was eventually purchased
by Siemens and no longer exists.
One final note adding to the mys-
tery: The Z9 is often referred to as
the M9 as a result of legal wrangling
that occurred when Konrad Zuse was
forced to change its name to conclude
his contract with Remington Rand. Be-
cause his patents had been temporar-
ily transferred elsewhere, the company
decided to rename the device the M9,
with M standing for “Mithra,” report-
edly “a mysterious subsidiary of Rem-
ington Rand Zurich,” says Bruderer.
Paul Hyman is a science and technology writer based in
Great Neck, NY.
© 2012 ACM 0001-0782/12/07 $15.00
21
V
doi:10.1145/2209249.2209259 Mari Sako
Technology Strategy
and Management
Business Models for
Strategy and Innovation
While often ambiguously defined, business models are central to innovation.
W
e frequently hear the
term business model roll
off the tongue of not
only technology entre-
preneurs and venture
capitalists, but also corporate manag-
ers, public officials, and professionals.
When the President of the Law Society
of England and Wales asks what the
business model for lawyers should be,
or when a commodore states that his
naval acumen has been put to test by
the business model of Somali pirates,
it is time to become more circumspect.
What is so enticing but also elusive
about business models and business
model innovation? This column consid-
ers when and how the term came into
use, and then addresses three intrigu-
ing questions: Why does it continue to
be an important concept in practice?
Who should be in charge of innovating
in business models? How transferrable
is a business model across companies?
The notion of business models is
as old as the hills, and human history
is strewn with business model inno-
22 c ommunicatio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
viewpoints
vations that precede the U.S.-centric
management education in the 20th
century. However, the proximate ori-
gin of the use of the term (rather than
the concept) of business models may
be traced to specialists in computing
and systems modeling. They used the
term to refer to computer simulations
of business processes. It was argued
that as the business environment be-
came more complex, the potential val-
ue of business models would inevitably
increase, and that as managers gain
more knowledge in modeling tech-
niques, computerized models should
become an indispensable aid in many
business functions.
However, business model did not
acquire prominence in the lexicon of
the start-up community until the mid-
1990s.2,6 With the exponential growth
in the usage of the term during the
dot-com boom, the early literal mean-
ing of business model (and modeling)
morphed into a new meaning, refer-
ring to the creation of value in digital
business. This value focus came about
in the face of users’ presumption that
information should be made available
free on the Web.
Business Models Triggered
by Digital Technology
Business models are essential for con-
verting new technologies into com-
mercial value. Every company has an
implicit business model in the sense
of linking ideas and technologies to
commercial outcomes. However, it is
the startups that had to articulate their
business model, not least to obtain ini-
tial funding. A fantastic piece of new
technology remains unexploited if it
lacks the “go to market” mechanisms
for creating value for end users.
Starting with e-commerce and more
recently with interactive Web appli-
cations and cloud computing, digital
technology has created opportunities
for new business models. Technology
impacts two sides of business mod-
els: cost and revenue. For example,
the disintermediation of retailers ad-
opted by Amazon and Dell touches on

both sides, as does the “pay per click”
advertising-based search by Google. By
contrast, a pricing model (such as the
“freemium” model adopted by Adobe,
Skype, Myspace, and open source soft-
ware companies to give basic service
away for free and charge premium pric-
es for value-added services) affects the
revenue side.
The so-called Web 2.0 and cloud
computing lie on this continuum in
the potential development of new busi-
ness models, addressing both sides.
On the cost side, cloud computing re-
moves the need to invest up front in
expensive servers, thus turning capital
expenditure into operational expenses
and lowering barriers to entry. How-
ever, to turn various service models
such as “infrastructure as a service” or
“software as a service” into a business
model, providers must work out the
revenue side with the choice of a specif-
ic pricing policy and targeted customer
segments. Without working out these
dimensions, the money will not follow
no matter how cool the technology.
Business Models in Strategy
Business strategists started to pay
greater attention to the business model
once its central focus on value creation
became evident. In contrast to busi-
ness process design at the operational
level, a business model defines the
overall business logic of a company at
Illustration by Mich ael Aust in
the strategic level. However, there are
two ambiguities that, if resolved, would
make the business model a more use-
ful tool in strategy: first, what elements
constitute a business model; and sec-
ond, the extent to which business mod-
els can be planned in advance.
When we see a well-functioning
business model in action, it is not dif-
ficult to see there are several compo-
nents that fit into a coherent whole.
In particular, a business model articu-
lates the customer value proposition;
it identifies a market segment; it de-
fines the structure of the value chain; it
specifies the revenue generation mech-
anisms; it describes the positioning
within the value network or ecosystem;
and it also elaborates on competitive
strategy by which the firm gains and
holds advantage over rivals.1
For example, Apple, with its iPods,
iTunes, iPhones, and iPads, provides
a unique experience to consumers, by
targeting the market segment that cares
about style as well as performance.
Apple has an outsourced positioning
in the supply chain, has specified its
revenue generation mechanisms that
bundle products and services, and has
created an ecosystem that includes
telecom providers, music content pro-
viders, and other suppliers. Apple’s
business model behaves like a platform
as it attracts external companies to in-
vest in activities that enhance its value.
Thus, business models are firm-cen-
tric, but with a lot of thought that goes
into their boundary-spanning func-
tion. The latter ensures the focal firm
can rely on the resources and capabili-
ties of third parties, and harness ex-
ternal technologies and ideas through
“open business models.”1
However, the first unhelpful dis-
agreement among strategists is on
how to bound the business model
concept. In particular, should the busi-
ness model focus on value creation or
also incorporate the notion of value
ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n i c at ion s of t he acm
viewpoints
capture? Some argue that a business
model is about co-defining total value
creation—the overall size of the pie—
for all parties involved. How much of
the total pie the focal firm actually cap-
tures depends on its revenue model,
which should remain separate from its
business model.5 By contrast, others
argue that a business model defines
both the “go to market” and “value
capturing” strategies.4 In the latter, de-
signing and implementing a business
model is the essence of strategy. In
the former, a business model must be
combined with other things (a revenue
model, resources and capabilities, and
so forth) to constitute a good strategy.
A second point on which strategists
disagree lies in the balance between
planning and experimentation to ar-
rive at an appropriate business model.
The planning perspective regards a
business model as a matter of design-
ing an activity system.5 By contrast, the
experimentation perspective empha-
sizes a discovery process of trial and
error, just as Google experimented in
the process of a transition from pay-
per-transaction to advertising-based
Internet search. Any novel idea goes
through a process of trial and error be-
fore it becomes viable as a prototype,
then a model to be adopted widely.
In this sense, followers may attempt
to imitate a well-articulated business
model. But inventing a novel business
model is a matter for innovators taking
risks in the process.
Business Model Innovation
Thus, business model can be a subject
of innovation in itself, pursuing novel
forms of value creation and captur-
23
viewpoints
ing mechanisms. Even without novel
technology, new business models can
be central in their own right to ensure
business success. For example, Dell
did not focus on improving the person-
al computer, but innovated in an as-
pect of its business model, namely sup-
ply chain and distribution systems, to
deliver compelling value to end users.
A usage-based auto insurance
scheme, called Pay As You Drive
(PAYD) developed by Progressive
Corporation, is a good example of a
business model that has undergone a
process of innovation and adaptation
over a decade.a Based on a family of
business method patents, this insur-
ance method is part of a new business
model that empowers drivers to con-
trol their consumption (customer val-
ue proposition), serves latent markets
for consumers previously reluctant to
insure because premiums were too
high (market segment identification),
and fundamentally restructures the
revenue model through lower premi-
um levels but also lower claims. Back
in 1999, PAYD used GPS satellites
to determine when, where, and how
much an insured vehicle was driven
in order to determine the premium.
High technology costs and policy-
holders’ perception of privacy inva-
sion posed challenges to implement-
ing the business model. Progressive
worked in partnership with insurance
telematics suppliers to lower the cost
of monitoring devices. Progressive
also took a long-term view in educat-
ing drivers via the PAYD portal, in or-
der to achieve a right balance between
the perceived cost of privacy invasion
and the benefits of greater control
over driving behavior and hence in-
surance cost. Thus, the ecosystem
for a business model takes time to
develop, not only in terms of the de-
velopment of affordable supporting
technologies, but also in terms of the
emergence of educated consumers
and regulatory bodies.
As firms experiment with novel
mechanisms for value creation and
capture, they must bring to bear cross-
functional capabilities in technology,
a This case is based on Panos Dessyllas and Mari
Sako, “Profiting from Business Model Innova-
tion: Evidence from Pay-As-You-Drive Auto In-
surance,” Research Policy, 2012, forthcoming.
24 c ommunic atio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7
Even without novel
technology, new
business models can
be central in their
own right to ensure
business success.
intellectual property management,
marketing, procurement, and finance.
What Causes Disruption
in Business Models?
Business model innovation can be
subjected to continuous and incre-
mental changes, as previously men-
tioned, but it may also have the poten-
tial capacity for disruption. So, what
are the sources of disruption in busi-
ness model innovation?
Disruptions occur, of course, as a re-
sult of technological progress such as
in information and communications
technology. They also occur as a re-
sult of identifying new latent markets.
Within the developed world, compa-
nies in industries as diverse as airlines,
automobiles, banking, and media have
seen their markets invaded by new and
disruptive business models. New en-
trants, such as Southwest Airlines and
EasyJet in air travel, have captured mar-
ket share by targeting distinctive mar-
ket segments. More recently, low-cost
disrupters hail from emerging markets,
such as Tata Motors from India with the
Nano in automobiles and Galanz from
China with microwave ovens.
What is common across these new
players is their ability to produce value-
for-money products or services for low-
end markets that have been hitherto
underserved and latent.3 Ultimately,
what turns such low-cost innovation
into a disruptive business model is
the new players’ ability to create new
markets with new value propositions—
offering high tech and niche market
products at low cost—for customers.
Thus, in identifying new markets, we
are back to basics, to one of the fun-
damental principles of innovation ac-
cording to Joseph Schumpeter, known
for coining the term “creative destruc-
tion” in economics.
Conclusion
Business model is a term much used
but seldom defined explicitly. The
next time someone asks you “what
is the business model?” you know,
at a minimum, to refer to the way
your enterprise creates and delivers
value to customers. Some strategists
would also want to know the man-
ner in which the enterprise captures
value and converts it into profit. If
this notion is adopted, designing and
implementing business models is the
essence of strategy, to ensure sustain-
able competitive advantage.
Despite some definitional ambigu-
ity, business model remains an impor-
tant notion precisely because of its in-
tegrative nature. Unlike technological
innovation led by the R&D department,
business model innovation requires
cross-functional mechanisms for creat-
ing (and capturing) new value for users.
Moreover, business models are at
the heart of innovation in distinctive
ways. First, new technologies create
opportunities for new business mod-
els. Second, appropriate business
models are necessary to translate tech-
nical success into commercial success.
Third, business models themselves
are subject to innovation involving dis-
continuous changes in the paradigm
used by firms to go to market. In this
sense, the ability to sense deep truths
about what consumers really want, to
satisfy consumers’ unmet needs, is
perhaps the most important driver of
business model innovation.
References
1. Chesbrough, H. Open Business Models: How to Thrive
in the New Innovation Landscape. Harvard Business
School Press, Boston, MA, 2006.
2. Ghaziani, A. and Ventresca, M.J. Keywords and
cultural change: Frame analysis of business model
public talk, 1975–2000. Sociological Forum 20, 4
(2005), 523–559.
3. Hart, S.L. and Christensen, C. The great leap: Driving
innovation from the base of the pyramid. MIT Sloan
Management Review (Fall 2002), 51–56.
4. Teece, D. Business models, business strategy, and
innovation. Long Range Planning 43 (2010), 172–194.
5. Zott, C. and Amit, R. Business model design: An
activity based perspective. Long Range Planning 43
(2010), 216–226.
6. Zott, C. et al. The business model: Recent
developments and future research. Journal of
Management 37, 4 (2011), 1019–1042.
Mari Sako ([email protected]) is Professor of
Management Studies at Saïd Business School, University
of Oxford, U.K.
Copyright held by author.
 V
viewpoints

doi:10.1145/2209249.2209260 Pamela Samuelson

Legally Speaking
Can Online Piracy
Be Stopped by Laws?
Considering the legal responsibilities of Internet intermediaries
in the aftermath of the Stop Online Privacy Act controversy.

W
hile on a scuba diving
trip in the Seychelles
Islands earlier this
year, I found myself
worrying about pirates.
Real pirates, as in people who attack
boats, take hostages, and sometimes
kill their prey. This kind of piracy has
become unfortunately common in
that part of the world.
On board our ship were four for-
mer British special forces soldiers who
served as security guards. They were
armed with semiautomatic weapons
and on patrol, 24/7, for the entire trip.
The danger was not just hypothetical.
The frigate berthed next to us as we
boarded had 25 pirates in its brig.
Waking up every morning to the
prospect of encountering real pirates
added brio to our excursion. It also in-
duced reflections on use of the word
“piracy” to describe copyright infringe-
ments. Downloading music is really
not in the same league as armed at-
tacks on ships. A Stop Online Piracy Act protest rally in New York City in January, 2012.
As we were cruising from Mahe
to Aldabra, I expected to be far away industry thought were either indiffer- This column will explain the key fea-
from it all. But the ship got a daily fax ent or acquiescent to storage of in- tures of SOPA, why the entertainment
of the main stories being published in fringing materials. industry believed SOPA was necessary
the New York Times. Among them were For a time, it seemed virtually inevi- to combat online piracy, and why SOPA
stories about the controversy over the table that SOPA would become law. Yet came to be perceived as so flawed that
Photogra ph by A l a in-Ch rist ia n

proposed legislation known as the
Stop Online Piracy Act (SOPA). SOPA
would have given the entertainment
industry new legal tools to impede ac-
cess to foreign “rogue” Web sites that
host infringing content and to chal-
lenge U.S.-directed Web sites that the
because strong opposition emerged
from technology companies, computer
security experts, civil liberties groups
and members of the general public,
SOPA has been put on hold. It is un-
likely to be enacted in anything like its
original form.
numerous sponsors withdrew their
support from the bill.
Blocking Access to
“Foreign Rogue Web Sites”
As introduced, SOPA would have em-
powered the Attorney General (AG) of

ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n i cat ion s o f t he ac m 25
viewpoints
the U.S. to seek court orders requir-
ing foreign Web sites to cease provid-
ing access to infringing copies of U.S.
works. Because “rogue” Web sites
seemed unlikely to obey a U.S. court
order, SOPA further empowered the
AG to serve these orders on U.S. Inter-
net intermediaries who would then
have been required to take “technical-
ly feasible and reasonable measures”
to block their users from accessing
the foreign Web sites. This included
“measures designed to prevent the do-
main name of the foreign infringing
site…from resolving to that domain
name’s Internet protocol address.”
These measures needed to be under-
taken “as expeditiously as possible,”
but no later than five days after receipt
of the orders.
Upon receiving a copy of a rogue-
Web site order, search engines would
have been required to block access to
the sites even if users were searching
for items that would otherwise have
brought the sites to their attention. In-
ternet service providers would have had
to ensure that users who typed certain
URLs (for example, http://thepiratebay.
se) into their browsers could not reach
those sites. Payment providers (such as
Visa or Mastercard) would have had to
suspend services for completing trans-
actions. Internet advertising services
would have had to discontinue serving
ads and providing or receiving funds
for advertising at these sites.
Those who failed to comply with
the DNS blocking obligations could
expect the AG to sue them. The AG
was also empowered to sue those who
provided a service designed to circum-
vent this DNS blocking (for example,
The safe harbors
have been an
important factor in
the extraordinary
growth of the
Internet economy.
26 communicatio ns o f the ac m | j u ly 201 2 | vol . 5 5 | no. 7
a plug-in or directory that mapped
blocked URLs with numerical DNS
representations).
Frustrated by the weak enforcement
of intellectual property rights (IPRs)
abroad, the U.S. entertainment indus-
try urged Congress to adopt SOPA as
the best way to impede online infringe-
ments. Foreign rogue Web sites might
still be out there, but if U.S.-based In-
ternet intermediaries blocked access
to the sites, users would not be able to
access infringing materials through
U.S. intermediaries.
Because ISPs in the U.S. and abroad
have no duty to monitor what users
do on their sites, it is easy for sites to
become hosts of large volumes of in-
fringing materials. Some operators
seemingly turn a blind eye to infringe-
ment, some encourage posting of
infringing content, while other sites
may just be misused by infringers. By
cutting off sources of transactional
and advertising revenues, the hope
was to discourage these sites from
continuing to operate.
Challenging U.S.-Directed Web Sites
SOPA would also have given holders of
U.S. intellectual property rights (IPRs)
power to challenge “U.S.-directed sites
dedicated to the theft of U.S. property.”
At first blush, it might seem that rea-
sonable persons should support a law
crafted to target such sites. But “dedi-
cated to the theft of U.S. property” was
defined in a troublingly ambiguous
and overbroad way. It included opera-
tors of sites that were taking “deliber-
ate actions to avoid confirming a high
probability of the use of [that] site to
carry out acts” in violation of copyright
or anti-circumvention rules. Also in-
cluded was any site that was “primarily
designed or operated for the purpose
of, ha[d] only a limited use other than,
or [wa]s marketed by its operator or
another acting in concert with that op-
erator in, offering goods or services in
a manner that engages in, enables, or
facilitates” violations of copyright or
anti-circumvention laws.
SOPA would have enabled firms
who believed themselves to be harmed
by one of these sites to send letters to
payment providers and/or to Internet
advertising services to demand that
they cease providing services to sites
alleged to be “dedicated to the theft of
U.S. property” shortly after receiving
such letters.
Payment providers and Internet ad-
vertising services were then tasked with
notifying the challenged sites about
the “dedicated-to-theft” allegations
against them. Challenged sites could
contest these allegations by sending
counter-notices to the payment provid-
ers and Internet advertising services.
But without a counter-notice, payment
providers and Internet advertising ser-
vices had to cease further dealings with
the challenged Web sites.
Content owners could also sue ded-
icated-to-theft sites directly to enjoin
them from undertaking further ac-
tions that evidenced their dedication
to theft. SOPA also authorized content
owners to sue payment providers or ad-
vertising services who failed to comply
with demands that they cease dealing
with challenged Web sites.
SOPA’s Flaws
The main problems with SOPA insofar
as it would have employed DNS block-
ing to impede access to foreign rogue
Web sites were, first, that it would un-
dermine the security and stability of
the Internet as a platform for commu-
nication and commerce and second,
that it would be ineffective.
SOPA is fundamentally inconsis-
tent with DNSSEC (DNS Security Ex-
tensions), a protocol developed to
avoid abusive redirections of Internet
traffic, whether by criminals, autocrat-
ic governments, or other wrongdoers.
Computer security experts spent more
than a decade developing DNSSEC,
which is now being implemented all
over the world, including by U.S. gov-
ernment agencies.
As the USACM Public Policy Com-
mittee observed in a letter sent to mem-
bers of Congress, DNSSEC Web site
operators cannot reliably block offend-
ing sites “and so may be faced with the
choice of abandoning DNSSEC or being
in violation of issued court orders.”
This letter explained why DNS
blocking would be ineffective. “[I]t is
effectively impossible to bar access to
alternate DNS servers around the globe
because there are millions of them on
the Internet.” Use of those servers “al-
lows for bypassing of DNS blocking.”
Circumvention of DNS blocking is,
moreover, “technically simple and uni-

versally available.” Browser add-ons to
avoid DNS blocking have already been
developed and would be available on
servers outside the U.S., even if illegal
in the U.S.
The main problems with the ded-
icated-to-theft provisions of SOPA
were, first, that it was too imprecise
and second, that it represented a dra-
[email protected]
matic change in the rules of the road
affecting Internet intermediaries.
What does it mean, for instance,
for an Internet intermediary to take
“deliberate actions to avoid confirm-
ing a high probability” of infringement
on the site? If Viacom tells YouTube it
[email protected]
has found infringing clips of “South
Park” shows on its site, does YouTube
become a site dedicated to the theft of
Viacom’s property if it does not inves-
tigate these claims? If Universal Music
Group objects to the resale of MP3 files
of its music on eBay, does eBay become
[email protected]
a site dedicated to theft of Universal’s
property because one or more of its us-
ers offer the MP3 files for sale there?
Many Internet companies consid-
ered the dedicated-to-theft defini-
tion to be fundamentally inconsistent
with the safe harbors established by
[email protected]
the Digital Millennium Copyright Act
(DMCA). Under the DMCA, Internet in-
termediaries are obliged to take down
infringing materials after they are no-
tified about specific infringements at
specific parts of their Web sites. They
have no obligation to monitor their
[email protected]
sites for infringement. The safe har-
bors have been an important factor in
the extraordinary growth of the Inter-
net economy.
It may be apt to characterize sites
[email protected]
such as Napster, Aimster, and Grokster
as having been dedicated to the theft of
U.S. intellectual property, but existing
copyright law supplied copyright own-
ers with ample tools with which to shut
down those sites.
Had the entertainment industry
sought more narrowly targeted rules
aimed at inducing payment providers
and Internet advertising services to
stop the flow of funds to sites that were
really dedicated to infringement, such
a law might have passed. But that was
not SOPA.
[email protected]
[email protected]
) is the
Conclusion
The collapse of support for SOPA was
principally due to concerted efforts by
viewpoints
Because SOPA
Calendar
was a flawed piece of Events
of legislation, July 15–16
the collapse was Extreme Scaling Workshop,
Chicago, IL,
a good thing. Contact: Bill Kramer,
Email:
July 15–19
26th ACM/IEEE/SCS Workshop
on Principles of Advanced and
Distributed Simulation,
Zhangjiajie, China,
Sponsored: SIGSIM,
Contact: Jason Liu,
Internet service providers (including Email:
Wikipedia, which went “dark” one day
to protest SOPA), computer security ex- July 15–20
perts, civil society groups, and millions International Symposium
on Software Testing and
of Internet users who contacted their Analysis,
Congressional representatives to voice Minneapolis, MN,
opposition to the bill. Sponsored: SIGSOFT,
Because SOPA was a flawed piece Contact: Mats Heimdahl,
Email:
of legislation, the collapse was a good
thing. It would, however, be a mistake July 16–18
to think the battle over Internet inter- ACM Symposium on Principles
mediary liability for infringing acts of of Distributed Computing,
Funchal, Portugal,
users has been won for good. Sponsored: SIGOPS,
The entertainment industry is al- Contact: Dariusz Kowalski,
most certainly going to make further Email:
efforts to place greater legal respon-
July 16–20
sibilities on Internet intermediaries. the 6th ACM International
This industry believes intermediar- Conference on Distributed
ies are the only actors in the Internet Event-based System,
Berlin, Germany,
ecosystem who can actually affect the Sponsored: SIGSOFT,
level of online infringements that Contact: Francois Bry,
contributes to entertainment indus- Email:
try panics.
July 16–20
An odd thing about the entertain- User Modeling, Adaptation
ment industry is its deeply skewed and Personalization,
views about piracy. In movies such as Montreal, Canada,
Pirates of the Caribbean, the industry Contact: Nkambou Roger,
Email:
glamorizes brigands who attack ships
by depicting them as romantic he- July 22–25
roes who have great adventures and International Symposium
engage in swashbuckling fun. Yet, it on Symbolic and Algebraic
Computation,
demonizes fans who download music Grenoble, France,
and movies as pernicious evildoers Contact: Joris van der Hoeven,
who are, in its view, destroying this Email: vdhoeven@lix.
polytechnique.fr
vital part of the U.S. economy. Some-
thing is amiss here, and it is contrib- July 24–27
uting to a profound disconnect in per- International Conference
spectives about how much the law can on e-Business,
Rome, Italy,
do to bring about changes in norms
Contact: Prof. Mohammad S.
about copyright. Obaidat,
Email:
Pamela Samuelson (
Richard M. Sherman Distinguished Professor of Law and
Information at the University of California, Berkeley.
Copyright held by author.
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he ac m 27
V
viewpoints

doi:10.1145/2209249.2209261 R.T. Watson, J. Corbett, M.C. Boudreau, and J. Webster

Computing Ethics
An Information Strategy for
Environmental Sustainability
Seeking solutions to a problem of change.

T
h ro ug h t h re e ce ntu ri e s of
industrialization, humans
have changed the chemical
composition of the air, land,
rivers, and oceans. The es-
sentials of life for the majority of the
Earth’s flora and fauna have experi-
enced profound alterations, and these
species-threatening transformations
show signs of accelerating unless we
take action to change direction. Many
of the proposed solutions, such as car-
bon sequestering, have an engineering
orientation and are based on current
technologies.7 Often the suggested
remedies do not adequately recognize
the potential of information systems
to greatly increase energy efficiency12
or to influence individual and orga-
nizational behaviors. This is a critical
oversight. Computer-based informa-
tion systems have been the driving
force for productivity improvements10
in the last five decades. We contend
that, in a similar way, information sys-
tems can be a driving force for sustain-
ability improvements. Our quest for
environmental sustainability needs
an information strategy to parallel and
complement engineering solutions:
ACM members could and should play
a critical role in creating and imple-
menting an information strategy.
Computing professionals and aca-
Illustration by Ya rek waszu l

demics have many of the key skills

needed to help solve the complex
problems surrounding sustainabil-
ity. This community is highly innova-
tive, focused on efficiency gains and
the customer experience, and has ex-
tensive knowledge of the design and
implementation of systems. In this
column, we want to stimulate the
computing profession to address en-
vironmental sustainability collectively
through action and research focusing
on several imperatives at the heart of
an information strategy. These imper-
atives arise from two views about hu-
man behavior—rational and social—

28 comm unicatio ns o f th e ac m | j u ly 201 2 | vo l. 5 5 | no. 7


that influence how we make decisions
about sustainability and many other
aspects of life. The rational view, as
typically espoused in economics, takes
two perspectives: humans are entirely
motivated by narrow self-interest and
the pursuit of utility maximization6;
and firms should focus exclusively
on maximizing shareholder wealth.1
Individual rationality, however, does
not always lead to collective rational-
ity. The tragedy of the commons4 and
the paradox of thrift8 illustrate how
individual self-interest can lead to the
depletion of a community resource
and how individual austerity in times
of recession exacerbates the problem,
respectively. Social forces, such as the
desire to build long-term relation-
ships, dampen self-interest.5 Social
constraints and interventions, such as
culture, laws, and ethical codes, can
rein in naked self-interest to create
outcomes that are more attuned to the
collective interest.
The Role of Information in
Rational and Social Behavior
The economic organization of current
society predominantly reflects the op-
eration of self-interest. By the late 20th
century, most countries had decided
that the allocation of many scarce re-
sources, a fundamental economic
problem, should be assigned to prices,
markets, and free enterprise. The glob-
al economy largely operates through
prices, particularly for commodities
(such as coal and iron), which are ma-
jor factors in the price of nearly all con-
sumer products and services. From a
sustainability and societal perspective,
prices are not always an effective signal
because of the presence of externali-
ties, which represent costs absorbed
by society rather than the producer. For
example, the costs of CO2 emissions
of coal-fired power stations are borne
by everyone, irrespective of how much
electricity they consume. When soci-
ety allows this externalization of such
costs, markets and self-interest work
against sustainability,3 which is why
some advocate internalization of exter-
nalities.9 Thus, the economic system
would better serve the greater social
good if prices were aligned with sus-
tainability goals.
At present, we do not have in place
data streams and associated informa-
Many people
want to maintain
a sustainable
lifestyle, but
they do not
know how.
tion systems that economists and leg-
islators could use for setting fees and
establishing regulations and social
interventions to ensure that prices
reflect externalities. One solution is
extensive sensor networks for record-
ing the location and characteristics of
pollution. Then we would have the raw
material for accurate pricing. Thus, a
first imperative for the profession is
to: Create information systems and net-
works that provide the capacity to incor-
porate significant environmental costs
into prices.
This pricing perspective favors one
view of how to transition to an environ-
mentally sustainable society. Treating
people and organizations as autono-
mous maximizing utilitarians, how-
ever, fails to recognize that our innate
social nature and non-economic pri-
orities greatly influence our decisions,
needs, and behaviors, and that we are
strongly influenced by others. Behav-
ioral economics addresses some of
the shortcomings of traditional indi-
vidual self-interest oriented economic
analysis. Solutions to sustainability,
particularly information-driven strat-
egies, need to also consider our social
side. Our environment is the result of
what we consume now and in the fu-
ture. Hence, societal transition ulti-
mately hinges on consumers—as indi-
viduals and organizations—changing
their consumption patterns for the
greater good of the environment and
not just because of a product’s price.
Many organizations and individuals
have a positive attitude toward the en-
vironment and seek to make sustain-
able choices, yet it is often difficult for
them to follow these beliefs because
they lack information about the en-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
viewpoints
vironmental consequences of those
decisions. Information, which helps
to form perceptions, is critical to the
functioning of our social as well as ra-
tional side. Three streams of informa-
tion can influence perceptions about
sustainability: organizational sustain-
ability reporting, product informa-
tion, and feedback on individual envi-
ronmental impact.
If consumers and enterprises want
to favor environmentally responsible
organizations, where can they find
objective and reliable information to
identify such organizations? Inves-
tors can turn to audited financial re-
ports, but what if people and organi-
zations want to invest in the future of
the Earth by favoring environmentally
conscious suppliers and firms, and
ecologically sound products? Regula-
tions for sustainability reporting are
emergent. At the global level, there
are now about a dozen standards,
most of which are voluntary and not
necessarily audited, with the Global
Reporting Initiative (GRI)2 the most
widely used. Voluntary reporting can
work against the attainment of sus-
tainability by hampering the imple-
mentation of other mechanisms
that could be more effective, such as
stricter regulations. Consequently, in
2010, GRI issued a declaration calling
on governments to require companies
to report on environmental and social
factors. Compulsory reporting will set
the stage for our profession to enter
the fray because we excel at the explo-
ration, collection, presentation, and
dissemination of the information con-
tained in organizational sustainability
reports that can influence behavior.
The profession has already contrib-
uted extensively to the development of
organizational financial reporting sys-
tems to make markets more efficient.
Another imperative before us is to: De-
sign corporate sustainability reporting
systems that achieve the goal of a more
sustainable society.
If consumers want to purchase
products that advance sustainability,
where can they find reliable informa-
tion? Governments require labeling
information to provide data on the nu-
tritional value of food and the chemi-
cals in drugs. This practice could be
extended to sustainability. Informa-
tion has far more value when it can be
29
viewpoints
digitally processed, and what is need-
ed is a product database containing
the environmental calculations for the
vast majority of commonly consumed
items so consumers can readily under-
take green comparisons of products.
Computing professionals can play a
key role in defining the data standards
for consumer environmental calcula-
tions and then designing systems for
making this data publicly and conve-
niently accessible. We can help con-
sumers choose greener products and
understand the environmental conse-
quences of their purchasing decisions.
Consequently, another imperative for
the profession is to: Implement efficient
approaches for collecting and persuasive
means of presenting product sustain-
ability information to promote green
purchasing decisions.
Many people want to maintain a
sustainable lifestyle, but they do not
know how. For example, the house-
holder who wants to do the laundry
with electricity primarily from renew-
able sources typically lacks relevant
information. Furthermore, even when
some information is available, it is of-
ten aggregated so that individual ac-
tion is hidden in collective behavior.
For most, the monthly electricity bill
omits the necessary details to promote
change. Consumers would be better
informed if each action were accompa-
nied by information about its environ-
mental effects. Therefore, as a profes-
sion, we need to: Develop information
systems that provide individuals with
accurate, meaningful, and actionable
information about the environmental
impact of personal decisions.
In summary, accurate pricing and
well-informed perceptions among all
members of society—individual, or-
ganizational, governmental—are the
foundations of an information strat-
egy for environmental sustainability.
Such an information strategy requires
processing and storing more informa-
tion (along with studying its reception
by consumers). Sensor networks and
product sustainability information will
add new streams of data that we need
to manage securely and sustainably in
a world already experiencing a data del-
uge. We certainly do not want a situa-
tion where the energy required for stor-
ing and processing this data results in
a net increase in harmful emissions.
30 communic atio ns o f the ac m | j u ly 201 2 | vol . 5 5 | no. 7
What matters now
is that we stimulate
debate within the
profession about
its role in creating
a sustainable society.
Thus, in designing and developing an
information strategy for sustainabil-
ity, we must take into account the full
life cycle impact of these solutions and
their own intrinsic demands on the
environment for materials and energy
consumption. Critically, we need to:
Develop professional standards for data
processing and storage that minimize
their environmental consequences, while
simultaneously helping to create a sus-
tainable society.
A Call for Action
Large-scale endeavors, such as re-
ducing the effects of global climate
change, require the incremental and
cumulative action of many working to-
ward a common outcome. Like those
in other fields,11 we believe it is our
ethical imperative to address environ-
mental sustainability issues. Collec-
tively, we can start on this path by first
tackling current tractable issues, such
as designing and building local sensor
networks, and then scaling up as we
learn how to create a global network of
linked sensor networks, using the In-
ternet as both a platform and a model.
Similarly, the behavioral scientists in
our community can begin exploring
the relationship between information,
perceptions, and environmental con-
sequences, and scale as they learn.
What matters now is that we stim-
ulate debate within the profession
about its role in creating a sustainable
society. Despite differences between
ACM members, there is ongoing work
on which we can build—see the work
on computational sustainability of the
Computing Community Consortium
as well as the work of the Association
for Information Systems special inter-
est group on green information sys-
tems. It matters that we take action,
and as we learn, we will refine our
notions of an effective information
strategy and sound tactical solutions.
John Holdren, President of the Ameri-
can Association for the Advancement
of Science and advisor to U.S. Presi-
dent Barack Obama for Science and
Technology, called on his colleagues
to tithe 10% of their time to working
on the globe’s significant problems;
it might well be appropriate for ACM
to make a similar appeal to its mem-
bership. In summary, ACM members,
both collectively and individually, must
apply their computing knowledge to con-
tribute to the creation and implementa-
tion of an information strategy for a sus-
tainable society.
References
1. Friedman, M. The Social Responsibility of Business is to
Increase its Profits. Springer Berlin Heidelberg, 2007.
2. Global Reporting Initiative. Sustainability Reporting
Guidelines: Version 3.0. 2006.
3. Grunert, K.G. and Thøgersen, J. Consumers, Policy and
the Environment: A Tribute to Folke Ölander. Springer,
2005.
4. Hardin, G. The tragedy of the commons. Science 162,
3859 (1968), 1243–1248.
5. Lawrence, P.R. Being human: A Darwinian theory
of human behavior. Unpublished draft, 2007;
http://prlawrence.com/beinghumandownload.html%3E.
6. Milgrom, P.R. and Roberts, J. Economics, Organization,
and Management. Prentice-Hall, Englewood Cliffs,
N.J., 1992.
7. Pacala, S. and Socolow, R. Stabilization wedges:
Solving the climate problem for the next 50 years with
current technologies. Science 305 (2004), 968–972.
8. Samuelson, P.A. and Nordhaus, W.D. Economics.
McGraw-Hill Irwin, Boston, 2010.
9. Stern, N. The Economics of Climate Change: The Stern
Review. Cambridge University Press, 2007.
10. Stiroh, K.J. Information technology and the U.S.
productivity revival: What do the industry data say?
American Economic Review 92, 5 (2002), 1559–1576.
11. Swim, J. K. et al. Psychology’s contributions to
understanding and addressing global climate change.
American Psychologist 66, 4 (2011), 241.
12. Watson, R.T., Boudreau, M.-C., and Chen, A.J.W.
Information systems and environmentally sustainable
development: Energy informatics and new directions
for the IS community. MIS Quarterly 34, 1 (2010),
23–38.
Richard T. Watson ([email protected]) is the J. Rex
Fuqua Distinguished Chair for Internet Strategy in the
Department of MIS at the Terry College of Business at
the University of Georgia, Athens, GA.
Jacqueline Corbett ([email protected]) is
an assistant professor in the Department of Management
Information Systems in the School of Business
Administration at Laval University in Quebec City, Canada.
Marie-Claude Boudreau ([email protected]) is
an associate professor in the Department of MIS at the
Terry College of Business at the University of Georgia,
Athens, GA.
Jane Webster ([email protected]) is
the E. Marie Shantz Professor of Management
Information Systems at Queen’s University in Kingston,
Ontario, Canada.
Copyright held by author.
V
viewpoints

doi:10.1145/2209249.2209277 Martin Campbell-Kelly

Historical Reflections
Alan Turing’s Other
Universal Machine
Reflections on the Turing ACE computer and its influence.

A
ll c o mput e r s c i e n t i s t s
know about the Univer-
sal Turing Machine, the
theoretical construct the
British genius Alan Turing
described in his famous 1936 paper on
the Entscheidungsproblem (the halting
problem). The Turing Machine is one
of the foundation stones of theoreti-
cal computer science. Much less well
known is the practical stored program
computer he proposed after the war
in February 1946. The computer was
called the ACE—Automatic Comput-
ing Engine—a name intended to evoke
the spirit of Charles Babbage, the pio-
neer of computing machines in the
previous century.
Almost all post-war electronic com-
puters were, and still are, based on the
famous EDVAC Report written by John
von Neumann in June 1945 on behalf The Pilot ACE, May 1950. Jim Wilkinson (center right) and Donald Davies (right).
of the computer group at the Moore
School of Electrical Engineering at the roles. Computers were in the air and of one, and over the next few months
University of Pennsylvania. Von Neu- universities at Manchester, Cam- he evolved the design of the ACE. His
mann was very familiar with Turing’s bridge, and elsewhere established report was formally presented to the
1936 Entscheidungsproblem paper. In electronic computer projects. Out- NPL’s executive committee in Febru-
1937, Turing was a research assistant side the academic sphere, in Lon- ary 1946.
at the Institute for Advanced Study at don, the National Physical Laboratory Although the ACE drew heavily on
Princeton University, where von Neu- (NPL—Britain’s equivalent of the Na- the EDVAC Report, it had many novel
mann was a professor of mathematics. tional Bureau of Standards) started features and was a design of great
Beyond these known facts, however, it a mathematics division to provide a originality. When he heard about the
is not possible to say how much influ- computing service for industry. With EDSAC that was being planned at
ence the Turing Machine had on the a staff of 40 and equipped with desk Cambridge University by Maurice Wil-
design of the EDVAC. But there is no calculating machines, punched card kes, which was based very directly on
doubt the ACE was heavily influenced equipment, and a differential analyz- the EDVAC, Turing was unimpressed.
by the EDVAC Report. er, it was an impressive organization. He wrote in a private note: “The ‘code’
The war in Europe ended in May In October 1945, Turing was brought which [Wilkes] suggests is however
1945 and the institutions of Britain in to establish an electronic com- very contrary to the line of develop-
began to get back to their peacetime puter project. He was a department ment here, and much more in the

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i cat ion s o f t he acm 31

viewpoints

ACM’s
interactions
magazine explores
critical relationships
between experiences, people,
and technology, showcasing
emerging innovations and industry
leaders from around the world
across important applications of
design thinking and the broadening
field of the interaction design.
Our readers represent a growing
community of practice that
is of increasing and vital
Turing’s brilliant
innovation in the
ACE was to eliminate
delay-line waiting
time by what was
later called optimum
programming.
American tradition of solving one’s
problems by means of much equip-
ment rather than by thought. I should
imagine that to put his code (which is
advertised as ‘reduced to the simplest
possible form’) into effect would re-
quire a very much more complex con-
trol circuit than is proposed in our full-
size machine.”
Wilkes took the view that build-
ing the EDSAC to a conventional de-
sign would be enough of a challenge.
Moreover, the EDSAC would be several
thousand times faster than existing
techniques and users would be best
served by having a conventional ma-
chine sooner rather than a novel de-
sign later. There was merit in both of
their positions.
ACE Design
The ACE was designed to fully exploit
the potential of a mercury delay-line
memory. The delay line was a spin-off
from echo-cancellation devices in ra-
dar, and in 1946 it was the only proven
memory technology. When used in the
main memory of a computer, the delay
line consisted of a five-foot mercury-
filled steel tube. Digital data was con-
verted to acoustic energy at one end of
the tube and converted back to electri-
cal signals at the other end. By feeding
the output back into the input, digi-
tal data could be stored indefinitely.
A five-foot tube had an acoustic de-
lay of about one millisecond and the
typical pulse duration of a computer
was one microsecond; hence the de-
lay line could store about 1,000 bits
of information (usually 1,024 bits, of
course). This was enough to store sev-
eral instructions or numbers. Apart
from its high cost and unreliability,
the mercury delay line memory also
had the problem of latency. That is,
when an instruction or number was
needed, the machine had to wait un-
til it emerged from the delay line—an
average time of half a millisecond.
For this reason most delay-line based
computers spent more time waiting
for instructions and numbers than
processing them.
Turing’s brilliant innovation in
the ACE was to eliminate this waiting
time by what was later called optimum
National A rch ive for th e H istory of Comp ut ing, M anch ester Universit y

global importance.
e
ib
cr
s
ub
/s
rg
.o
cm
a
w.
w
w
://
tp
ht

Control desk of the English Electric DEUCE, 1955.

32 c omm unicatio ns o f th e ac m | j u ly 201 2 | vo l. 5 5 | no. 7


programming. On a conventional
machine instructions were stored in
consecutive locations, so that latency
effects dramatically slowed up the
machine. In the ACE design, however,
each instruction specified the location
of its successor. In this way instruc-
tions (and numbers) could be placed
optimally in the memory so that they
emerged from a delay line just as they
were needed. The optimum coding
idea showed a rather direct connec-
tion to the “instruction tables” of the
Turing Machine, in which each or-
der specified the next to be obeyed.
This simple idea alone would make
the ACE about three times faster than
other delay-line based computers.
Optimum coding, it should be noted,
was much more difficult than conven-
tional programming, but for a decade
it was the way to get maximum perfor-
mance from delay-line or drum-based
machines.
But there was more. In the ACE de-
sign Turing avoided having a single
central register (known as the accu-
mulator in EDVAC-type machines) in
which all computation took place. In-
stead, he had separate registers for ad-
dition and subtraction, multiplication,
logical operations, shifting, and so
on. To a degree Turing was anticipat-
ing what would later be called the von
Neumann bottleneck.
ACE Construction
Turing proposed that the ACE would
contain 200 delay lines in the main
memory and estimated the con-
structional cost at £11,200 (about
$45,000). Turing was a better math-
ematician than an engineer and his
estimates were wildly unrealistic.
Building the ACE got off to a shaky
Bend ix g-15 broch ure image cou rtesy of th e Co mput er Histo ry M useum
start and not much happened for sev-
Besides the DEUCE,
the Pilot ACE
spun off several other
worthy derivatives.
eral months. Then in 1947 an Ameri-
can, Harry Husky, who had been a
member of the Moore School com-
puter group, began a sabbatical year
at the NPL. He proposed building a
small prototype of the ACE, which he
called the Test Assembly. Still, little
progress was made and Turing left
the NPL in September 1947 for a sab-
batical year at King’s College, Cam-
bridge University. He never returned
to the NPL. At last in early 1949, work
really got going on another small ver-
sion known as the Pilot ACE and the
development logjam was broken by
Donald Davies, a new recruit to the
NPL. Davies was an outstanding sci-
entist and administrator. He later
became head of computer science at
the NPL and was one of the inventors
of packet switching technology.
The Pilot ACE sprang into life in
May 1950. It had just 10 delay lines, but
when augmented with a drum store it
was a highly capable computing ma-
chine. Benchmarks showed that it was
five to 10 times faster than contem-
porary machines. Moreover, the Pilot
ACE had just 800 tubes compared with
3,000 in the Cambridge EDSAC and
3,500 in the Manchester Mark I.
ACE Derivatives
The English Electric Company, a
manufacturer of airplanes and elec-
trical equipment and a contractor to
the NPL, decided make a copy of the
Pilot ACE; unsurprisingly, the ma-
chine was named the DEUCE. This
set the ball rolling—English Electric’s
competitors decided they would like a
machine too and the company found
itself in the computer business. Sold
from 1955, the DEUCE was especially
popular with engineering companies
that had heavy computational needs.
Sales to aerospace companies were
given a boost following the Comet air
disaster of 1954, which had result-
ed in the statutory requirement for
airplane manufacturers to conduct
so-called flutter calculations. The
DEUCE came with a superb library
of matrix software developed by Jim
Wilkinson, originally Turing’s assis-
tant but later a distinguished numeri-
cal analyst and winner of the 1970
ACM A.M. Turing Award.
Besides the DEUCE, the Pilot ACE
spun off several other worthy deriva-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t he acm
viewpoints
A brochure for the Bendix G-15 computer,
introduced in 1956.
tives. The most important was the
Bendix G-15 introduced in 1956. The
machine was designed for the West
Coast’s Bendix Aviation Corporation
by Harry Husky, who had returned to
the U.S. and joined the faculty of the
University of California, Berkeley. Op-
timum coding gave the machine an
edge over rival machines, and the G-15
became a workhorse for the American
engineering industry. About 400 were
eventually sold.
Conclusion
As to the ACE itself, the full-scale,
200-delay-line machine was finally
completed in 1958. Sadly, by the time
it was built the heyday of delay-line
storage was over, and new comput-
ers were using random access core
memory. Even the NPL admitted the
machine was a technological dino-
saur. Turing died in 1954, so he never
lived to see either the triumph of the
DEUCE or the whimper of the full-
scale ACE. English Electric went on
to become a cornerstone of the early
British computer industry. After the
DEUCE went out of production in
1960 it was succeeded by the KDF9,
an innovative machine with a stack-
based architecture—it showed the
company had lost none of the design
verve it had inherited from Turing.
Martin Campbell-Kelly (M.Campbell-Kelly@warwick.
ac.uk) is a professor in the Department of Computer
Science at the University of Warwick, where he specializes
in the history of computing.
Copyright held by author.
33
V
viewpoints

doi:10.1145/2209249.2209262 Alfred Spector, Peter Norvig, and Slav Petrov

Viewpoint
Google’s Hybrid
Approach to Research
By closely connecting research and development Google is able
to conduct experiments on an unprecedented scale, often resulting
in new capabilities for the company.

I
n th i s Vi e w p oin t, we describe
how we organize computer sci-
ence research at Google. We
focus on how we integrate re-
search and development and
discuss the benefits and risks of our
approach. The challenge in organiz-
ing R&D is great because CS is an in-
creasingly broad and diverse field. It
combines aspects of mathematical
reasoning, engineering methodology,
and the empirical approaches of the
scientific method. The empirical com-
ponents are clearly on the upswing, in
part because the computer systems we
construct have become so large that
analytic techniques cannot properly
describe their properties, because the
systems now dynamically adjust to the
difficult-to-predict needs of a diverse
user community, and because the sys-
tems can learn from vast datasets and Google Fellow Jeffrey Dean discusses MapReduce, Google File System, and BigTable during
large numbers of interactive sessions a keynote session.
that provide continuous feedback.
We have also noted that CS is an ex- mercial systems that set new standards product needs. Recent articles, such as
panding sphere, where the core of the upon which others then build are in- those by Leifer et al.8 and Enkel et al.,6
field (theory, operating systems, and so creasingly important. illustrate related issues on how firms
forth) continues to grow in depth, while To compare our approach to re- do research and catalyze innovation.
the field keeps expanding into neigh- search with that of other companies The goal of research at Google is to
boring application areas. Research re- is beyond the scope of this Viewpoint. bring significant, practical benefits to
sults come not only from universities, But, for reference, we note that in the our users, and to do so rapidly, within
but also from companies, both large terminology of Pasteur’s Quadrant,11 a few years at most. Research happens
Photogra ph by Nial l Kennedy

and small. The way research results are
disseminated is also evolving and the
peer-reviewed paper is under threat as
the dominant dissemination method.
Open source releases, standards speci-
fications, data releases, and novel com-
we do “use-inspired basic” and “pure ap-
plied” (CS) research. Buderi2 and Dodg-
son et al.5 discuss information technol-
ogy research generally, pointing out
the movement in industrial labs to-
ward research that strongly considers
throughout Google, exploring techni-
cal innovations whose implementation
is risky, and may well fail. Sometimes,
research at Google operates in entire-
ly new spaces, but most frequently,
the goals are major advances in areas

34 comm unicatio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7


where the bar is already high, but there
is still potential for new methods. In
these cases, simply establishing the
feasibility of a research idea may be a
substantial task, but even greater effort
is required to create a true success or
useful negative result.
Because of the time frame and ef-
fort involved, Google’s approach to re-
search is iterative and usually involves
writing production, or near-produc-
tion, code from day one. Elaborate re-
search prototypes are rarely created,
since their development delays the
launch of improved end-user services.
Typically, a single team iteratively ex-
plores fundamental research ideas, de-
velops and maintains the software, and
helps operate the resulting Google ser-
vices—all driven by real-world experi-
ence and concrete data. This long-term
engagement serves to eliminate most
risk to technology transfer from re-
search to engineering. This approach
also helps ensure the research efforts
produce results that benefit Google’s
users, by allowing research ideas and
implementations to be honed on em-
pirical data and real-world constraints,
and by utilizing even failed efforts to
gather valuable data and statistics for
further attempts.
Implications of Google’s
Mission and Capabilities
Google’s mission “To organize the
world’s information and make it uni-
versally accessible and useful,” both
supports and requires innovation in
almost all CS disciplines. For example,
we aim to “understand” user intent
and the meaning of documents, to
translate between languages with ever-
higher fidelity, and to be able to trans-
form content in one modality (say, im-
age) into relevant content in all others
(say, text). Google’s entire organization
is focused on rapid innovation, and
three aspects of Google’s technology
and business model support this:
˲˲ Organizing all of the world’s in-
formation requires large amounts of
resources. By providing a rich set of
computing abstractions and power-
ful processors, storage, and network-
ing capabilities in our data centers,
Google has been able to gain econo-
mies of scale and to sidestep some of
the complexity of heterogeneous com-
puting environments.
Google’s approach to
research is iterative
and usually involves
writing production, or
near-production, code
from day one.
˲˲ The services-based delivery model
brings significant benefits to research
and development. Even a small team
has at its disposal the power of many
internal services, allowing the team to
quickly create complex and powerful
products and services. Design, testing,
production, and maintenance pro-
cesses are simplified. Additionally, the
services model, particularly one where
there is significant consumer engage-
ment, facilitates empirical research.
˲˲ Google has been able to hire a tal-
ented team across the entire engineer-
ing operation. This gives us the op-
portunity to innovate everywhere, and
for people to move between projects,
whether they be primarily research or
primarily engineering.
Hybrid Research at Google
Google’s focus on innovation, its ser-
vices model, its large user community,
its talented team, and the evolutionary
nature of CS research has led Google
to a “Hybrid Research Model.” In this
model, we blur the line between re-
search and engineering activities and
encourage teams to pursue the right
balance of each, knowing that this bal-
ance varies greatly. We also maintain
considerable fluidity in terms of mov-
ing both people and projects as needs
change. As such, even in areas where
there is a much higher proportion of
research to engineering, the “Research
Team” we have established is not as
formally separate from engineering ac-
tivities as those in other organizations,
and for example runs large production
systems, too. Overall, we undertake
research work when we feel its sub-
stantially higher risk is warranted by
a chance of more significant potential
impact. Additionally, research also has
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
viewpoints
the potential to impact the world both
through Google’s products and servic-
es, and through the academic research
community. We recognize that the
wide dissemination of fundamental
results often benefits us by garnering
valuable feedback, educating future
hires, providing collaborations, and
seeding additional work.
In no way do we feel our model
precludes long-term research: we just
try to “factorize” it into shorter-term,
measurable components. This pro-
vides benefits to us in terms of team
motivation (based upon evidence of
concrete progress in reasonable time
periods) and the potential for commer-
cial benefit (in advance of the complete
fulfillment of all objectives). Even if we
cannot fully factorize work, we have
sometimes undertaken longer-term
efforts. For example, we have started
multiyear, large systems efforts (in-
cluding Google Translate, Chrome,
Google Health) that have important
research components. These projects
were characterized by the need for
complex systems and research (such
as Web-scale identification of paral-
lel corpora for Translate12 and various
complex security features in Chrome9
and Health). At the same time, we have
recently shown that even in longer-
term, publicly launched efforts, we are
unafraid to refocus our work (for exam-
ple, Google Health), if it seems we are
not achieving success.
Clearly, this approach benefits from
the mainly evolutionary nature of CS
research, where great results are usu-
ally the composition of many discrete
steps. If the discrete steps required
large leaps in vastly different direc-
tions, we admit that our primarily hill-
climbing-based approach might fail.
Thus, we have structured the Google
environment as one where new ideas
can be rapidly verified by small teams
through large-scale experiments on
real data, rather than just debated. The
small-team approach benefits from the
services model, which enables a few
engineers to create new systems and
put them in front of users. This in turn
enables us to conduct experiments at a
scale that is generally unprecedented
for research and development proj-
ects. One consequence is that many
projects can directly affect billions of
users. This naturally influences how re-
35
viewpoints
searchers choose to spend their time,
balancing the opportunity to have im-
pact through Google’s services with the
opportunity to have impact in the aca-
demic community. Google encourages
both kinds of impact, and some of the
most successful projects achieve both.
We thus define our hybrid research
model as one that aims to generate
scientific and engineering advances in
fields of import to Google; that does so
in a way that tends to factorize longer
projects (perhaps with very challeng-
ing goals) into discrete, achievable
steps (each of which may be of com-
mercial value); where we maximally
leverage our cloud computing mod-
els and large user base to support in
vivo research; where we allow for the
maximal amount of organizational
flexibility so we can support both proj-
ects that require some room to grow
unfettered by current constraints and
projects that require close integration
with existing products; and where we
emphasize knowledge dissemination
using a flexible collection of different
approaches.
Example Research Patterns
1. An advanced project in a product-fo-
cused team that, by virtue of its creativity
and newness, changes the state of the art
and thereby produces new research re-
sults. The first and most prevalent pat-
tern exemplifies how blurry the line be-
tween research and development work
can be. Operating at large scale, engi-
neering teams are often faced with nov-
el challenges which, when overcome,
constitute research results. Organiza-
tionally, research is done in situ by the
Our hybrid approach
to research enables
us to conduct
experiments at a
scale that is generally
unprecedented for
research projects.
36 c ommunic atio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7
product team to achieve its goals. The
most successful high-profile examples
of this pattern are systems infrastruc-
ture projects such as MapReduce,4
Google File System,7 and BigTable.3
2. A project in the research group that
results in new products or services. The
second pattern is research followed by
the operation of the production service
based on that research. Both Google
Translate and Voice Search10 are ex-
amples of this pattern, where the cloud
computing infrastructure enabled
small research teams to build systems
that could be deployed. This pattern
applies best when continuing research
can further improve and extend the re-
sulting products.
3. A project in the research group
that creates new concepts and technolo-
gies, which are then applied to existing
products or services. The third pattern
is a traditional research and develop-
ment model. Google’s success with
this model of research benefits from
the services model and from the em-
phasis on data-driven evaluation. For
instance, some new audio and video
fingerprinting techniques,1 which re-
searchers were able to demonstrate
not only on small test cases, but on real
data at production scale, were then
productized by YouTube engineers.
4. A joint research project between an
engineering team and the research group
that is then used by that engineering
team. The fourth pattern is a collabora-
tive integration of research and devel-
opment teams. Many of our products
require novel algorithmic solutions to
support high performance, thus pos-
ing a blend of research and engineer-
ing challenges. An example for this
pattern is the work done by our Market
Algorithms group in collaboration with
teams working on our advertisement
systems. Together, they design, modi-
fy, and analyze the core algorithms and
economic mechanisms used for ad se-
lection and optimization.
5. A research project in an engineering
team that is transitioned to the research
group (and eventually becomes (2.), (3.),
or (4.) here). The fifth pattern, transi-
tioning a project from an engineering
team to the research team is an impor-
tant mechanism for giving a project
more time or resources, when the work
is important more broadly than for a
specific engineering team. An exam-

ple of this pattern is work on YouTube
recommendations, which started in
various engineering groups, but then
moved to a research team, where the
work continued using a different, and
perhaps deeper, algorithmic basis.
Successes
In the same way that it is difficult to
define what exactly constitutes “re-
search,” it can be difficult to measure
its “success.” In our opinion, a re-
search project is successful if it has
academic or commercial impact, or
ideally, both. Commercial impact at
Google is perhaps easier to measure,
and the company has benefitted from
numerous advances in systems, speech
recognition, language translation, ma-
chine learning, market algorithms,
computer vision, and more.
By academic impact we refer to
impact on the academic community,
other companies or industries, and the
field of computer science in general.
Of course, this type of impact has most
traditionally come from publications,
and Google continues to publish re-
search results at increasing rates (from
13 papers published in 2003, to 130 in
2006, to 279 in 2011). Some of our pa-
pers are highly regarded and have been
extensively cited.3,4,7 But we feel that
publications are by no means the only
mechanism for knowledge dissemina-
tion: Googlers have led the creation
of over 1,000 open source projects,
contributed to various standards (for
example, as editor of HTML5), and pro-
duced hundreds of public APIs for ac-
cessing our services. In some cases, we
have used these different channels in
symbiotic ways, following up an initial
publication describing the high-level
ideas (MapReduce, GFS, BigTable)
with open source implementations of
particular aspects (Protocol Buffers).
In other cases, projects have started as
open source initiatives from day one:
Android and Chromium are probably
the two most well-known examples of
open source projects and demonstrate
the effectiveness of this approach.
Discussion
Technology companies invest in re-
search for a number of reasons, in-
cluding: importance to the company’s
products and services, prestige and
contributions to the public good, and
reducing the risk of getting blindsided
by new technology developments.
Research at Google is built on the
premise that connecting research
with development provides teams with
powerful, production-quality infra-
structure and a large user base, result-
ing not only in innovative research, but
also in valuable new commercial capa-
bilities. By coupling research and de-
velopment, our goal is to minimize or
even eliminate the traditional technol-
ogy transfer process, which has proven
challenging at other companies. Most
of our projects involve people work-
ing with a given technology from the
research stage through to the product
stage. This close collaboration and
integration furthermore ensures the
reality of the problems being investi-
gated: research is conducted on real
systems and with real users. Our flex-
ible organization also provides diverse
opportunities for our employees and
has positive implications for our inno-
vation culture and hiring ability.
Of course, this close integration
also brings some risks with it. Being so
close to the users and to the day-to-day
activities of product teams, it is easy
to get drawn in and miss new develop-
ments. To mitigate this risk, we engage
with the academic community through
various initiatives such as our visiting
faculty program, our intern program
or our faculty research awards pro-
gram. We also encourage publication
of research results, though we some-
times get criticized for not publishing
enough. One reason for this is that re-
searchers at Google have multiple av-
enues for having impact, publishing
papers not being the only method. As
a result, Googlers publish fewer pa-
pers, but the ones they publish can be
more impactful, because they describe
experience with well-tested and imple-
mented systems, not just proposed
ideas. Another potential pitfall of the
hybrid research model is that it is prob-
ably more conducive to incremental
research. We therefore do support par-
adigmatic changes as well, as exempli-
fied by our autonomous vehicles proj-
ect, Google Chauffeur, among others.
Conclusion
Many of the world’s computer science
research questions are of great rel-
evance to Google’s business, our tech-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
viewpoints
nical leaders, and our user community.
We have chosen to organize computer
science research differently at Google
by maximally connecting research
and development. This yields not only
innovative research results and new
technologies, but also valuable new ca-
pabilities for the company. Our hybrid
approach to research enables us to
conduct experiments at a scale that is
generally unprecedented for research
projects, generating stronger research
results that can have a wider academic
and commercial impact. We also pro-
vide flexible opportunities across the
R&D spectrum for our team members.
While our hybrid research model ex-
ploits a number of things particular to
Google, we hypothesize that it may also
serve as an interesting model for other
technology companies.
References
1. Baluja, S. and Covell, M. Waveprint: Efficient wavelet-
based audio fingerprinting. In Pattern Recognition, 2008.
2. Buderi, R. Engines of Tomorrow: How The World’s
Best Companies Are Using Their Research Labs To Win
The Future. Simon & Schuster, 2000.
3. Chang, F. et al. Bigtable: A distributed storage system
for structured data. In Proceedings of OSDI 2006.
4. Dean, J. and Ghemawat, S. MapReduce: Simplified
data processing on large clusters. In Proceedings of
OSDI 2004.
5. Dodgson, M., Gann, D. and Salter, A. The Management
of Technological Innovation: Strategy and Practice.
Oxford University Press, 2008.
6. Enkel, E., Gassmann, O. and Chesbrough, H. Open R&D
and open innovation: Exploring the phenomenon. In
R&D Management, 2009.
7. Ghemawat, S., Gobioff, H., and Leung, S.T. Google file
system. In Proceedings of ACM SIGOPS 2003.
8. Leifer, R., O’Connor, G. and Rice, M. Implementing
radical innovation in mature firms: The role of hubs.
In The Human Side of Managing Technological
Innovation. R. Katz, Ed., Oxford University Press, 2004.
9. Reis, C., Barth, A., and Pizano, C. Browser security:
Lessons from Google Chrome. ACM Queue 7, 5
(May 2009).
10. Schalkwyk, J. Google Search by Voice: A case
study. In Advances in Speech Recognition: Mobile
Environments, Call Centers, and Clinics. A. Neustein
Ed., Springer, 2010.
11. Stokes, D.E. Pasteur’s Quadrant—Basic Science
and Technological Innovation. Brookings Institution
Press, 1997.
12. Uszkoreit, J., Ponte, J., Popat, A., and Dubiner, M.
Large scale parallel document mining for machine
translation. In Proceedings of COLING 2010.
Additional references can be found at http://research.
google.com/pubs/papers.html.
Alfred Spector ([email protected]) is Vice President
of Research and Special Initiatives at Google, Inc.
Peter Norvig ([email protected]) is Director of
Research at Google, Inc.
Slav Petrov ([email protected]) is Senior Research
Scientist at Google, Inc.
We acknowledge many discussions on this topic with Dan
Huttenlocher, who spent a summer at Google in 2008,
and contributions and reviews from Bill Coughran, Úlfar
Erlingsson, Fernando Pereira, Matt Welsh, and John
Wilkes. We also thank the anonymous reviewers for their
valuable feedback.
Copyright held by author.
37
V
viewpoints

doi:10.1145/2209249.2209263 Sarah Spiekermann

Viewpoint
The Challenges
of Privacy by Design
Heralded by regulators, Privacy by Design holds the promise to solve the digital
world’s privacy problems. But there are immense challenges, including management
commitment and step-by-step methods to integrate privacy into systems.

P
r i vacy ma i n t e n a n c e and
control is a social value
deeply embedded in our
societies. A global survey
found that 88% of people are
worried about who has access to their
data; over 80% expect governments to
regulate privacy and impose penalties
on companies that do not use data re-
sponsibly. But privacy regulation is not
easy. The Internet’s current economics
as well as national security manage-
ment benefit from the collection and
use of rich user profiles. Technology
constantly changes. And data is like
water: it flows and ripples in ways that
are difficult to predict. As a result, even
a well-conceived, general, and sustain-
able privacy regulation, such as the
European Data Protection Directive
95/46/EC, struggles to ensure its ef-
fectiveness. Companies regularly test
legal boundaries and many risk sanc-
tions for privacy breaches to avoid con-
straining their business.
Against this background, the Eu-
ropean Commission and other regu-
latory bodies are looking for a more Technologies (PETs) and add a good as privacy default settings or end-to-
effective, system- and context-specific dose of security, thereby creating a end security of personal data) and the
Photogra ph by Refat/ sh utt erstock. co m

balance between citizens’ privacy
rights and the data needs of compa-
nies and governments. The apparent
solution proposed by regulators now,
but barely specified, is Privacy by De-
sign (PbD). At first sight, the power-
ful term seems to suggest we simply
need to take a few Privacy-Enhancing
fault-proof systems’ landscape for
the future. But the reality is much
more challenging. According to Ann
Cavoukian, the Ontario information
and privacy commissioner who first
coined the term, PbD stands for a pro-
active integration of technical privacy
principles in a system’s design (such
recognition of privacy in a company’s
risk management processes.1 PbD can
thus be defined as “an engineering
and strategic management approach
that commits to selectively and sus-
tainably minimize information sys-
tems’ privacy risks through technical
and governance controls.”

38 communicatio ns o f the ac m | j u ly 201 2 | vo l. 5 5 | no. 7


However, a core challenge for PbD
is to get organizations’ management
involved in the privacy strategy. Man-
agement’s active involvement in the
corporate privacy strategy is key be-
cause personal data is the asset at the
heart of many companies’ business
models today. High privacy standards
can restrict the collection and use of
data for further analysis, limit strate-
gic options, and impact a firm’s bot-
tom line. Consider advertising rev-
enues boosted by behavioral targeting
practices and peoples’ presence on
social networking sites: without per-
sonal data, such services are unthink-
able. PbD proponents hardly embrace
these economic facts in their reason-
ing. In contrast, they take a threat per-
spective arguing that low privacy stan-
dards can provoke media backlash
and lead to costly legal trials around
privacy breaches. And indeed, distrust
caused by privacy breaches is probably
the only real blemish on the image of
technology companies such as Google
or Facebook. Brands are a precious
company asset, the most difficult to
build and the most costly to maintain.
Hence, brand managers should be
keen to avoid privacy risks. Equally, re-
cent data breach scandals have forced
CEOs to quit.
Despite these developments, many
managers still do not understand that
a sustainable strategy for one of their
company’s core assets—personal
data—requires them to actively man-
age this asset. Managing personal data
means optimizing its strategic use,
quality, and long-term availability. Un-
fortunately, few of today’s managers
want to take on this new challenge. In-
stead, they derive what they can from
the information bits they get and leave
the privacy issue as a nuisance that is
better left to be fixed by their lawyers.
But even if managers took up the
privacy challenge and incorporated the
active governance of personal data into
their companies’ strategic asset man-
agement, they would not be able to de-
termine the right strategy without their
IT departments: PbD requires the guts
and ingenuity of engineers. As the term
implies, the design of systems needs to
be altered or focused to technically em-
brace the protection of peoples’ data.
Consequently, privacy must be on en-
gineers’ requirements radar from the
CACM_JOCCH_one-third_page_vertical:Layout viewpoints
Managing personal
data means
optimizing its
strategic use, quality, ACM
and long-term
availability. Journal on
Computing and
Cultural
start of a new IT project. It needs to en-
ter the system development life cycle at
Heritage
such an early point that architectural
decisions around data processing,
transfer, and storage can still be made.
Managers and engineers (as well as
other potential stakeholders) need to
assess the privacy risks they are willing
to take and jointly decide on techni-
cal and governance controls for those
risks they are not willing to bear.
Privacy by Design Challenges
Even when both managers and engi-
neers are committed to PbD, more
challenges must be overcome:
˲˲ Privacy is a fuzzy concept and is ◆ ◆ ◆ ◆ ◆
thus difficult to protect. We need to
come to terms on what it is we want JOCCH publishes papers of
to protect. Moreover, conceptually significant and lasting value in
and methodologically, privacy is often all areas relating to the use of ICT
confounded with security. We need to
start distinguishing security from pri- in support of Cultural Heritage,
vacy to know what to address with what seeking to combine the best of
means. computing science with real
˲˲ No agreed-upon methodology sup-
attention to any aspect of the
ports the systematic engineering of pri-
cultural heritage sector.
vacy into systems. System development
life cycles rarely leave room for privacy
considerations. ◆ ◆ ◆ ◆ ◆
˲˲ Little knowledge exists about the
tangible and intangible benefits and
risks associated with companies’ pri-
vacy practices. www.acm.org/jocch
How can these challenges be over-
come? A Privacy Impact Assessment
www.acm.org/subscribe
(PIA) Framework recently created for
RFID technology (see http://ec.europa.
eu/information_society/policy/rfid/pia/
index_en.htm) has been called a “land-
mark for PbD” because it offers some
answers: The PIA Framework suggests
concrete privacy goals and describes a
method to reach them. Pragmatically,
it recommends that organizations use
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 39
viewpoints
the specific legislative privacy prin-
ciples of their region or sector or the
OECD Privacy guidelines as a starting
point to determine privacy protection
goals. In Europe, for example, the Eu-
ropean Data Protection Directive 95/46/
EC or its successor should be taken. It
includes the following privacy goals:
˲˲ Safeguarding personal data qual-
ity through data avoidance, purpose-
specific processing, and transparency
vis-à-vis data subjects.
˲˲ Ensuring the legitimacy of person-
al and sensitive data processing.
˲˲ Complying with data subjects’
right to be informed, to object to the
processing of their data, and to access,
correct, and erase personal data.
˲˲ Ensuring confidentiality and secu-
rity of personal data.
Security and privacy in this view are
clearly distinguished. Security means
the confidentiality, integrity, and avail-
ability of personal data are ensured.
From a data protection perspective se-
curity is one of several means to ensure
privacy. A good PbD is unthinkable
without a good Security by Design plan.
The two approaches are in a “positive
sum” relationship. That said, privacy
is about the scarcity of personal data
creation and the maximization of in-
dividuals’ control over their personal
data. As a result, some worry that PbD
could undermine law enforcement
techniques that use criminals’ data
traces to find and convict them. More
research and international agreement
in areas such as anonymity revocation
are certainly needed to demonstrate
this need not be the case even if we
have privacy-friendly systems.
After privacy goals are clearly de-
fined, we must identify how to reach
them. The PIA Framework mentioned
earlier is built on the assumption that
a PbD methodology could largely re-
semble security risk assessment pro-
cesses such as NIST or ISO/IEC 27005.
These risk assessment processes iden-
tify potential threats to each protec-
tion goal. These threats and their prob-
abilities constitute a respective privacy
risk. All threats are then systematically
mitigated by technical or governance
controls. Where this cannot be done,
remaining risks are documented to be
addressed later.
As in security engineering, PbD
controls heavily rely on systems’ ar-
40 c om municatio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7
chitectures.2 Privacy scholars still
put too much focus on information
practices only (such as Web site pri-
vacy policies). Instead, they should
further investigate how to build sys-
tems in client-centric ways that maxi-
mize user control and minimize net-
work or service provider involvement.
Where such privacy-friendly architec-
tures are not feasible (often for busi-
ness reasons), designers can support
PbD by using technically enforceable
default policies (“opt-out” settings)
or data scarcity policies (erasure or
granularity policies), data portabil-
ity, and user access and delete rights.
Where such technical defaults are not
feasible, concise, accurate, and easy-
to-understand notices of data-han-
dling practices and contact points for
user control and redress should come
into play.
A challenge, however, is that system
development life cycles and organiza-
tional engineering processes do not
consider such practices. So far, privacy
is simply not a primary consideration
for engineers when designing systems.
This gap raises many questions: When
should privacy requirements first en-
ter the system development life cycle?
Who should be responsible? Given that
privacy controls impact business goals,
who can actually decide on appropriate
measures? Must there be ongoing pri-
vacy management and practices moni-
toring? If organizations purchase stan-
dard software solutions or outsource
operations, pass data to third parties or
franchise their brands, who is respon-
sible for customer privacy?
Conclusion
For privacy to be embedded in the sys-
tem development life cycle and hence
in organizational processes, compa-
nies must be ready to embrace the do-
main. Unfortunately, we still have too
little knowledge about the real dam-
age that is being done to brands and
a company’s reputation when privacy
breaches occur. The stock market sees
some negligible short-term dips, but
people flock to data-intensive services
(such as social networks); so far, they
do not sanction companies for pri-
vacy breaches. So why invest in PbD
measures? Will there be any tangible
benefits from PbD that justifies the in-
vestment? Would people perhaps be
willing to pay for advertisement-free,
privacy-friendly services? Will they in-
cur switching costs and move to com-
petitive services that are more privacy
friendly? Would the 83% of U.S. con-
sumers who claim that they would stop
doing business with a company that
breaches their privacy really do so? We
need to better understand these dy-
namics as well as the current changes
in the social perception of what we re-
gard as private.
But research on the behavioral eco-
nomics of privacy has clearly demon-
strated that regardless of what people
say, they make irrational privacy deci-
sions and systematically underesti-
mate long-term privacy risks. And this
is not only the case for privacy-seeking
individuals, but also for managers
who are making PbD decisions for
their companies.
Therefore, I appreciate that PIAs
are suggested to become mandatory
in the new European data protection
legislation. However, they must be ac-
companied by a clear set of criteria for
judging their quality as well as sanc-
tions for noncompliance.
Most important, as this Viewpoint
makes clear: PIAs need to be made
mandatory for the designers of new
technologies—the IBMs and SAPs of
the world—and not just data control-
lers or processors who often get system
designs off the shelf without a say.
Making PIAs mandatory for system
designers could be a great step toward
PbD and support compliance with the
policies defined in Europe, in U.S. Pri-
vacy sectors laws, as well as the Safe-
Harbor Framework.
Only if we force those companies
that design systems, their manage-
ment and their engineers, to embrace
such process-driven, bottom-up ways
to embed laws and ethics into code
can we really protect the core values
of our Western liberal democracies
and constitutions.
References
1. Cavoukian, A. Privacy by Design Curriculum 2.0, 2011;
http://privacybydesign.ca/publications/.
2. Spiekermann, S. and Cranor, L.F. Engineering privacy.
IEEE Transactions on Software Engineering 35, 1
(Jan./Feb. 2009), 67–82.
Sarah Spiekermann ([email protected]) is the head of
the Institute for Management Information Systems at
the Vienna University of Economics and Business, Vienna,
Austria.
Copyright held by author.
Previous
A.M. Turing Award
Recipients

1966 A.J. Perlis

1967 Maurice Wilkes
1968 R.W. Hamming
1969 Marvin Minsky
1970 J.H. Wilkinson
1971 John McCarthy
1972 E.W. Dijkstra
1973 Charles Bachman
1974 Donald Knuth
1975 Allen Newell ACM A.M. TURING AWARD
NOMINATIONS SOLICITED
1975 Herbert Simon
1976 Michael Rabin
1976 Dana Scott
1977 John Backus
1978 Robert Floyd
1979 Kenneth Iverson Nominations are invited for the 2012 ACM A.M. Turing Award. ACM’s oldest
1980 C.A.R Hoare
1981 Edgar Codd and most prestigious award is presented for contributions of a technical nature to
1982 Stephen Cook the computing community. Although the long-term influences of the nominee’s
1983 Ken Thompson
1983 Dennis Ritchie work are taken into consideration, there should be a particular outstanding
1984 Niklaus Wirth and trendsetting technical achievement that constitutes the principal claim to
1985 Richard Karp
1986 John Hopcroft
the award. The award carries a prize of $250,000 and the recipient is expected
1986 Robert Tarjan to present an address that will be published in an ACM journal. Financial support
1987 John Cocke
of the Turing Award is provided by the Intel Corporation and Google Inc.
1988 Ivan Sutherland
1989 William Kahan
1990 Fernando Corbató Nominations should include:
1991 Robin Milner
1992 Butler Lampson 1) A curriculum vitae, listing publications, patents, honors, other awards, etc.
1993 Juris Hartmanis
1993 Richard Stearns 2) A letter from the principal nominator, which describes the work of
1994 Edward Feigenbaum the nominee, and draws particular attention to the contribution which
1994 Raj Reddy
1995 Manuel Blum is seen as meriting the award.
1996 Amir Pnueli
1997 Douglas Engelbart 3) Supporting letters from at least three endorsers. The letters should not
1998 James Gray all be from colleagues or co-workers who are closely associated with
1999 Frederick Brooks
2000 Andrew Yao the nominee, and preferably should come from individuals at more than
2001 Ole-Johan Dahl one organization. Successful Turing Award nominations usually include
2001 Kristen Nygaard
2002 Leonard Adleman substantive letters of support from a group of prominent individuals
2002 Ronald Rivest broadly representative of the candidate’s field.
2002 Adi Shamir
2003 Alan Kay For additional information on ACM’s award program
2004 Vinton Cerf
2004 Robert Kahn please visit: www.acm.org/awards/
2005 Peter Naur
2006 Frances E. Allen Additional information on the past recipients
2007 Edmund Clarke of the A.M. Turing Award is available on:
2007 E. Allen Emerson http://amturing.acm.org/byyear.cfm .
2007 Joseph Sifakis
2008 Barbara Liskov
2009 Charles P. Thacker Nominations should be sent electronically
2010 Leslie G. Valiant by November 30, 2012 to:
2011 Judea Pearl Ravi Sethi, Avaya Labs c/o [email protected]
practice
d oi:10.1145/ 2209249.2209264
usefulness and hamper the growth of
Article development led by
queue.acm.org
new applications.
This article aims to provide part of
the bufferbloat solution, proposing
A modern AQM is just one piece an innovative approach to AQM suit-
of the solution to bufferbloat. able for today’s Internet called CoDel
(for Controlled Delay, pronounced like
By Kathleen Nichols and Van Jacobson “coddle”). This is a “no-knobs” AQM
that adapts to changing link rates and

Controlling
is suitable for deployment and experi-
mentation in Linux-based routers (as
well as silicon).
Packet networks require buffers to

Queue Delay
absorb short-term arrival rate fluctua-
tions. Although essential to the opera-
tion of packet networks, buffers tend
to fill up and remain full at congested
links, contributing to excessive traffic
delay and losing the ability to perform
their intended function of absorbing
bursts. The “full buffer problem” was
recognized in the early days of the In-
ternet, and mitigations were explored
then.9,15,17
In 1998, the Internet Research Task
N early th ree d eca d e safter it was first diagnosed, Force urged the deployment of active
queue management in the Internet,1
the “persistently full buffer problem,” recently specifically recommending Random
exposed as part of bufferbloat,6,7 is still with us and Early Detection (RED).5 Although RED
made increasingly critical by two trends. First, was simple and can be effective at re-
ducing persistent queues, little guid-
cheap memory and a “more is better” mentality ance was available to set its configu-
have led to the inflation and proliferation of buffers. ration parameters and it functioned
poorly in a number of cases. This led to
Second, dynamically varying path characteristics are a general reluctance to use it. As RED’s
much more common today and are the norm at the problems became apparent, research
consumer Internet edge. Reasonably sized buffers documented those issues and pro-
posed new AQMs, adding more config-
become extremely oversized when link rates and path uration and complexity to the original
delays fall below nominal values. RED. Though Feng et al.22 pointed out
in 2002 that queue length is not a good
The solution for persistently full buffers, active predictor of congestion, it continued
queue management (AQM), has been known for to be used. Although research contin-
two decades but has not been widely deployed ued, deployment did not.
The Internet has been saved from
because of implementation difficulties and general disaster by a constant increase in link
misunderstanding about Internet packet loss and rates and by usage patterns. Over the
Illustration by A nd reas Ko ll er

past decade, evidence has accumu-

queue dynamics. Unmanaged buffers are more critical lated that this whistling in the dark
today since buffer sizes are larger, delay-sensitive cannot continue without severely im-
applications are more prevalent, and large (streaming) pacting Internet usage: independent
measurement studies4,13 have found
downloads common. The continued existence of edge queuing delays from hundreds of
extreme delays at the Internet’s edge can impact its milliseconds up to multiple seconds.

42 c ommunic atio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7

1 2 3 4 5 6 7 8

4 5 6 7 8

12.45459430,34.43962930,0.39884989
9.29475655,39.19462381,22.30878452
1 2 3 4 5 6 7 8

40.20392125,8.29991467,52.31173403 12.45459430,34.43962930,0.39884989
9.29475655,39.19462381,22.30878452

3.98672430,82.32754750,93.26614247
40.20392125,8.29991467,52.31173403
21.29056765,49.29917436,20.94763227 21.29056765,49.29917436,20.94763227
3.98672430,82.32754750,93.26614247

1 2 3 4 5

1 2 3 4 5 6 7 8

ju ly 2 0 1 2 | vol . 55 | n o. 7 | c om m u n i cat ion s o f t he acm 43

practice
Figure 1.TCP connection startup.
Sender
Figure 2. TCP connection after one RTT.
Sender
These measurement studies and the
bufferbloat project2 document the
harmful effects of large, unmanaged
buffers at the network edge.
Correct buffer sizing is not an easy
problem. Undersizing—making buf-
fers smaller than the traditional BDP
(bandwidth-delay product)—is fraught
with problems,8 nicely illustrated by
Guillaume Vu-Brugier et al.20 Today’s
links vary in bandwidth, and individual
connections vary in round-trip times
(the “delay” used in BDP). This makes
it impossible to properly pick a static
size for most edge links.13,14 A simple,
robust algorithm that can manage buf-
fer delay regardless of buffer size and
link bandwidth without a negative im-
pact on utilization can make oversized
buffers irrelevant.
Understanding Queues
Developing effective active queue
management has been hampered by
misconceptions about the cause and
meaning of queues. Network buffers
exist to absorb the packet bursts that
occur naturally in statistically multi-
plexed networks. Queues occur in the
buffers as a result of short-term mis-
matches in traffic arrival and departure
rates that arise from upstream resource
44 com munic atio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
Receiver
Receiver
contention, transport conversation
startup transients, and/or changes in
the number of conversations sharing
a link. Unfortunately, other network
behavior can cause buffers to fill, with
effects that are not nearly as benign.
With the wrong conceptual model for
queues, AQMs have limited operation-
al range, require a lot of configuration
tweaking, and frequently impair rather
than improve performance.
Figure 1 shows a TCP connection
shortly after startup (see “Congestion
Avoidance and Control”8 for more
discussion). The sender launches its
window of 25 packets back-to-back,
and they flow through the network
until they hit a bottleneck (bandwidth
reduction). There, as each packet is
squeezed down in bandwidth, it must
stretch out in time since its size stays
constant. The vertical direction is
bandwidth (bits/sec), and the horizon-
tal direction is time (sec), so the area
of each rectangle is the packet size
(bits/sec × sec = bits). For example,
if the packets were 1ms long and the
bandwidth reduction was 100Mbps
to 10Mbps, then the second packet
would arrive 1ms after the first but
would have to wait for an additional
9ms, since it takes 10ms for the first
packet to depart. The third packet
would have to wait for an additional
18ms for both one and two to depart,
and so on. This bottleneck-induced
waiting is what creates the queues that
form in the packet buffers at the link.
Figure 2 shows the connection one
RTT (round-trip time) later. The bot-
tleneck spaces out the packets, and
they retain that spacing after leaving.
The receiver just turns a data packet
into an ack (acknowledgment packet),
so the ack stream retains the spacing
on the return path. The sender turns
each ack into a data packet, so, after
just one RTT, the packet-arrival rate
at the bottleneck exactly equals the
departure rate, and the queue won’t
grow. This is clearly visible in Figure
3, which shows the bottleneck queue
size vs. time. There is an initial peak
corresponding to the initial window’s
worth of back-to-back packets, but it
dissipates after one RTT, leaving just
a ±1 packet variation resulting from
small phase differences in the arrival
and departure processes.
Note, however, that the steady-state
queue in Figure 3 is not zero. Figures
1 and 2 are sized so that the distance
in time between the sender and re-
ceiver is 10 bottleneck packet times
(for example, 100ms if the bottleneck
packet spacing is 10ms); thus, it takes
20 packets in flight to “fill the pipe”
and use 100% of the bottleneck capac-
ity. The window in this example is 25
packets—five more than will fit in the
pipe (the BDP, measured in packets).
These create a standing queue that can-
not dissipate. This is clearly visible in
Figure 2: as the 26th packet is about
to arrive at the bottleneck, five pack-
ets are still in its queue; but, from this
time on, whenever one packet leaves,
another will arrive. Thus, there will al-
ways be five packets in the queue (±1),
even though the sender’s rate is con-
stant. The standing queue has nothing
to do with the sender’s rate but rather
with how much the sender’s window
exceeds the pipe size.
This standing queue, resulting
from a mismatch between the win-
dow and pipe size, is the essence of
bufferbloat. It creates large delays
but no improvement in throughput.
It is not a phenomenon treated by
queuing or traffic theory, which, un-
fortunately, results in it being almost
 practice

universally misclassified as conges-
tion (a completely different and much
rarer pathology). These theories usu-
ally assume Poisson arrival processes,
which are, by definition, uncorrelated.
The arrivals of a closed-loop, reliable
transport process such as TCP are
completely correlated, resulting in
an arrival and departure rate equality
that theorists have dismissed as un-
natural and wildly improbable. Since
normal cures for congestion such as
usage limits or usage-based billing
have no effect on bufferbloat but an-
noy customers and discourage net-
work use, addressing the real problem
would be prudent.
The bufferbloat problem, making
the window match the pipe size, is
hard to address. Window sizes are cho-
sen by senders while queues manifest
at bottleneck gateways. It is difficult
for senders to compute a window size,
since both terms—bottleneck band-
width and RTT—change constantly
as connections come and go, paths
change because of rerouting, layers 1
and 2 protocols adapt bandwidth for
changing physical conditions, and
so on. Since queues can be directly
measured at the bottleneck, the most
promising approach is to detect the
problem there, then signal senders to
reduce their windows (via TCP conges-
sient repeats every RTT and the buffer
is always occupied. The window ex-
actly fills the pipe, however, and there
is no excess queue, so any attempt to
reduce this queue will result in poor
utilization of the bottleneck. Thus, oc-
cupancy time contains no information
about excess queue.
Figure 4 and the leading part of
Figure 3 show queues doing their
job—acting as shock absorbers to
convert bursty arrivals into smooth,
steady departures. This is good queue.
The tail end of Figure 3 shows a queue
doing nothing but creating excess
delay. This is bad queue. The core of
the bufferbloat-detection problem is
separating good from bad. Figure 3
hints at the successful strategy: good
queue is occupancy that goes away in
about one RTT; bad queue persists for
several RTTs. An easy, robust way to
separate the two is to take the mini-
mum of the queue length over a slid-
Figure 3. Queue size vs. time.
Queue length
ing time window that is longer than
the nominal RTT.
Controlled Delay Management
In early 1998, we set out to under-
stand why the original RED was dif-
ficult to configure and came up with
a new RED algorithm (described in
a talk and an unpublished paper10,12)
that needed only one parameter: the
queue’s output bandwidth or aver-
age departure rate. Despite improve-
ments in performance, issues re-
mained—almost anything worked for
long-lived TCP transfers and almost
nothing worked for bursty traffic. In
the decade since, many researchers
have made strides in AQM, but no one
has produced an AQM that has the fol-
lowing characteristics:
˲˲ It is parameterless—it has no
knobs for operators, users, or imple-
menters to adjust.
˲˲ It treats good queue and bad queue

tion-control mechanisms).
Reliable detection is difficult, how-
ever. The big queue at the start of
Figure 3 is necessary for connections
to get started, so queue magnitude
contains no information about excess Time
queue. The fact that the problem lies
in the flat part of Figure 3 has caused
some researchers to look at the time
the buffer is occupied as an indicator. Figure 4. Queue size vs. time for ack-per-window receiver and 20-packet window.
Figure 4 shows the queue vs. time
for a TCP receiver that sends one
ack per window rather than one per
packet. This is a legal, though brittle,
operating mode used by some com-
mercial operating systems with very
Queue length

high per-packet overhead to reduce

the number of acks generated so as to
perform credibly in benchmark tests.
This kind of queue length variation is
also seen in Web traffic—a superposi-
tion of mostly small transfers that are
essentially all startup transient. Since
this ack policy means a full window of
Time
packets is always delivered as a back-
to-back burst, the initial turn-on tran-

ju ly 2 0 1 2 | vol . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 45

practice

differently—that is, it keeps the delays that distinguish it from prior AQMs. time through the queue. Use of the ac-
low while permitting bursts of traffic. First, CoDel’s algorithm is not based tual delay experienced by each packet
˲˲ It controls delay, while insensitive on queue size, queue-size averages, is independent of link rate, gives supe-
to round-trip delays, link rates, and queue-size thresholds, rate measure- rior performance to use of buffer size,
traffic loads. ments, link utilization, drop rate or and is directly related to the user-visi-
˲˲ It adapts to dynamically changing queue occupancy time. Starting from ble performance.
link rates with no negative impact on Van Jacobson’s 2006 insight,11 we used Using the minimum value has some
utilization. the local minimum queue as a more important implications. The mini-
˲˲ It is simple and efficient—it can accurate and robust measure of stand- mum packet sojourn can be decreased
easily span the spectrum from low- ing queue. Then we observed that it is only when a packet is dequeued, which
end, Linux-based access points and sufficient to keep a single-state vari- means all the work of CoDel can take
home routers up to high-end commer- able of how long the minimum has place when packets are dequeued for
cial router silicon. been above or below the target value transmission and that no locks are
for standing queue delay rather than needed in the implementation. The
One Code Module, No keeping a window of values to com- minimum is the only statistic with this
Knobs, Any Link Rate pute the minimum. Finally, rather property. The only addition to packet
CoDel (Controlled Delay Manage- than measuring queue size in bytes or arrival is that a timestamp of packet ar-
ment) has three major innovations packets, we used the packet-sojourn rival time is created. If the buffer is full
when a packet arrives, then the packet
Figure 5. CoDel and RED performance variation with link bandwidth. can be dropped as usual.
CoDel assumes a standing queue of
CoDel Median Pkt Delay (sec) RED Median Pkt Delay (sec)
target is acceptable and that it is un-
by Bandwidth (Mbps) by Bandwidth (Mbps) acceptable to drop packets when there
0.020 0.020 are fewer than one MTU’s (maximum
transmission unit’s) worth of bytes in
0.015 0.015
the buffer. CoDel identifies the per-
0.010 0.010 sistent delay by tracking the (local)
0.005 0.005 minimum queue delay packets expe-
rience. To ensure the minimum value
0 0
3 10 45 100 3 10 45 100
does not become stale, it has to have
been experienced within the most re-
(a) (c)
cent interval. When the queue de-
CoDel Link Utilization by REDLink Utilization by lay has exceeded target for at least
Link Bandwidth (Mbps) Link Bandwidth (Mbps)
interval, a packet is dropped and
1.0 1.0
a control law sets the next drop time.
0.9 0.9
The next drop time is decreased in in-
0.8 0.8
0.7
verse proportion to the square root of
0.7
0.6
the number of drops since the drop-
0.6
0.5 0.5
ping state was entered, using the well-
0.4 0.4 known relationship of drop rate to
3 10 45 100 3 10 45 100 throughput to get a linear change in
(b) (d) throughput.12,16 When the queue de-
lay goes below target, the controller
stops dropping. No drops are carried
out if the buffer contains fewer than
Figure 6. CoDel performance variation with link bandwidth for low bandwidths. an MTU’s worth of bytes. Additional
logic prevents reentering the drop-
ping state too soon after exiting it and
Median Packet Delays Link Utilization by
by Bandwidth Link Bandwidth (in Mbps)
resumes the dropping state at a recent
0.16 1.0 control level, if one exists.
— 500B MTU
0.14
— 1500B MTU 0.9
Target and interval are con-
0.12
0.10 1.0
Web-only Traffic stants with straightforward interpreta-
0.08 0.8
tions: acceptable standing queue delay
0.06 and a time on the order of a worst-case
0.04 0.6
0.02 RTT of connections through the bottle-
0.4
0 neck. We experimented to determine
0.128 0.256 0.512 1.5 0.128 0.256 0.512 1.5 values for target and interval
(a) (b) that give a consistently high utiliza-
tion with a controlled delay across a
range of bandwidths, RTTs, and traffic

46 comm unicatio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7


loads. Below a target of 5ms, utiliza-
tion suffers for some conditions and
traffic loads; above 5ms there is very
little or no improvement in utilization.
Interval is loosely related to RTT
since it is chosen to give endpoints
time to react without being so long
that response times suffer. A setting
of 100ms works well across a range of
RTTs from 10ms to 1 second (excellent
performance is achieved in the range
from 10ms to 300ms). (Pseudocode
for CoDel is included in the appendix,
available at http://queue.acm.org/ap-
pendices/codel.html.)
CoDel’s efficient implementation
and lack of configuration are unique
features that make it suitable for man-
aging modern packet buffers. The
three innovations—using minimum
rather than average as the queue mea-
sure, simplified single-state variable
tracking of minimum, and use of
queue-sojourn time—lead directly to
these unique features.
Simulation Experiments
No network simulation provides a
high-fidelity representation of real-
ity; the real test of CoDel will come
through deployment on networks.
Though CoDel’s functionality and an
evaluation of its merits are our main
concerns, some AQM comparisons
can serve as a sanity check. We did
several thousand simulation runs,
varying bottleneck bandwidth from
64kbps to 100mbps, end-to-end delay
from 5ms to 1sec., simultaneous bulk
data transfers from 0–50, PackMime
Web traffic intensity from 0–80, with
and without CBR traffic, with both
Reno and CUBIC TCP congestion
control, and all with CoDel using the
same, constant configuration values.
As the next section will show, CoDel
performed very well. Most impor-
tantly, when link rates vary dynami-
cally—even as much as two orders of
magnitude—CoDel adapts. Results
are compelling enough to move on to
the next step of extensive real-world
testing in Linux-based routers.
Simulator Configuration. For expe-
diency, we used the freely available
ns-2 simulator.18 Our file-transfer ap-
plication used the Linux TCP suite,
primarily with CUBIC congestion
control. Results (available online)
were similar with New Reno but with
slightly lower utilizations, as expect-
ed. To emulate Web-browsing loads,
we used PackMime,21 which runs with
the ns-2 Full-TCP protocol and uses
the New Reno congestion-control al-
gorithm. A constant bit-rate applica-
tion used UDP (User Datagram Pro-
tocol) and was configured at 64Kbps
in 100-byte packets. All TCPs were
configured with modern parameters,
including use of SACK. In most cases,
CoDel’s managed buffer was set very
large (~8xBDP packets) to verify that
the actual size of the buffer does not
matter. For comparison, we also ran
many of our test scenarios with the
ns-2 RED AQM module substituted
for CoDel. We used the most recent
settings and code for ns-2 RED, which
reads the initial link bandwidth and
delay to adjust its settings, rather
than the original RED of Floyd and Ja-
cobson.5 We also attempted to run the
scenarios with BLUE22 but its default
settings performed badly and limited
experimentation did not result in set-
tings that worked well so we did not
pursue it.
Metrics. The metrics of interest for
AQMs—queue delay and size, link utili-
zation, and “fairness” of drops between
flows—can be quite sensitive to the
types of traffic mixes and link band-
widths,10,12,20 so we tested a range of traf-
fic loads and conditions. The per-packet
queue delay for successfully transmit-
ted (not dropped) packets is particu-
larly useful. This can be viewed against
simulation time for a single run or the
statistics over the run (for example, me-
dian and 95th percentile) can be used for
comparisons and trends. Monitoring
link utilization ensures queue manage-
ment does not have a negative impact
on throughput. Though not our primary
concern, we used the Jain fairness in-
dex to see if drop share per source was
somewhat in proportion to the number
of packets transmitted, computed for n
samples as:
(Σixi)2
n ⋅ (Σixi2)
Performance Across a Range
of Static Link Rates
CoDel is the same code with the same
settings, regardless of egress link rate.
To see how well it works, we collected
the median packet delay and link utili-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n ic at ion s o f t he acm
practice
zation values from a number of traffic
loads (FTPs with and without added
Web-browsing and constant-bit-rate
applications) and RTTs from 10ms–
500ms, sorted them by link band-
widths, and box plotted the results.
These are displayed separately for
larger bandwidths (3Mbps, 10Mbps,
45Mbps, and 100Mbps in Figure 5)
and smaller bandwidths (128Kbps,
256Kbps, 512Kbps, and 1.5Mbps in
Figure 6). The results for RED are also
shown for the larger bandwidths, but
median delays for the smaller set were
excessive (100ms–200ms).
CoDel drops only when its mini-
mum delay statistic exceeds 5ms and
the buffer contains at least a link
MTU’s worth of bytes. For links with
MTUs transmitting in less than 5ms
(the larger bandwidth group) and traf-
fic loads consisting of all long-lived
FTPs, the median delay should ap-
proach this target. CoDel is designed
to permit short-term bursts; thus, me-
dian values for bursty traffic patterns
should be higher than the 5ms target.
For larger bandwidths, delay resulting
from bursts of packets is small com-
pared with the target (for example, a
1,500-byte packet is transmitted in
0.1ms at 100 Mbps), so load variations
have less effect on the median. At
smaller bandwidths the delay caused
by an additional packet is significant
compared with the target (or example,
4ms for a 3Mbps link), and median
delays will be noticeably larger. This is
exactly the desired behavior: the lon-
ger delays are not excessive and per-
mit link utilizations to be maintained
at high levels. Figure 5 shows CoDel
delays are as expected and the link
utilizations are good. RED’s delays
and utilizations are similar for 3Mbps
links, but delays and utilizations are
smaller for 10Mbps and above. The
low utilizations show that RED is like-
ly overcontrolling.
The lower bandwidth values de-
picted in Figure 6 use a smaller range
of RTTs (30ms–100ms). Such link rates
can be expected at the consumer In-
ternet-access edge (handheld, home)
or on degraded Wi-Fi links. Static low-
bandwidth links usually use a smaller
link MTU, so we collected data where
the link MTU was set to 500 bytes, as
well as the 1,500-byte MTU used for all
other runs. As expected, the larger MTU
47
practice

Figure 7. Wireless example.

Per-Packet Queue Delay Detail of Per-Packet Queue Delay Cumulative Kbytes transferred
for Dynamic Bandwidth vs. Simulation Time (sec) vs. simulation time (sec)

— CoDel RED — Tail drop — CoDel RED — Tail drop

10 1.0
1 × 105

ps
sp

s
Mb
bp
Mb

bp
ps

ps
1M

50

1M
10
s

s
10

b
b
bp

bp

0M
0M
ps

s
0M

0M
bp

s
0.5
s

10
Mb

bp

10
bp

M
10

10
1M
50
10

1M

2 5 10 pckt buffers

0 0 0
0 50 100 150 200 250 300 0 50 100 150 200 250 300 0 50 100 150 200 250 300
(a) (b) (c)

increases delays, but less significantly
as bandwidth increases. Utilizations
for low-bandwidth links are gener-
ally good since they are easy to fill with
mixes of FTPs. A few runs were done
at each bandwidth with only the Pack-
Mime Web browsing, which makes it
difficult to get high utilizations; we had
to accept a drop rate of more than 10%
to get over 60% utilization.
Performance on Dynamic Links
Some dynamic link testing is possible
in simulation. To roughly emulate a
(nominal) 100Mbps Wi-Fi link sub-
ject to degradation, we used a load of
four FTPs and five Web connections
Figure 8. CoDel and RED performance by RTT.
CoDel 95th Percentile Delay (sec)
0.06
0.04
0.02
0 0.02
CoDel Median Delays (sec)
0.02
0.01
0 0
10 30 50 100
(a)
CoDel Median Link Utilizations
1.0
0.9
0.8
0.7
0.6
0.5
10 30 50 100
(b)
per second and changed link rates a buffer full of packets at the current
at 50-second intervals (over the 300 link rate. That delay can be as much
simulated seconds), first dropping to as 10 seconds. RED keeps the queue
10Mbps, then to 1Mbps, then jump- delay smaller than Tail Drop but does
ing to 50Mbps, dropping to 1Mbps, not respond to changes as quickly as
and finally jumping back to 100Mbps. CoDel. CoDel permits an initial spike
Buffer capacity is a single BDP (830 as the FTPs get started and a dropping
packets) for the nominal rate. This rate is learned for the current condi-
scenario was repeated for CoDel, Tail tions. The delays spike when the link
Drop, and RED. rates drop (at 50, 100, and 250 sec-
Figure 7 shows the per-packet onds), as the queue size is now too
queue delay and the cumulative long for the new rate. CoDel computes
number of kilobytes transferred as a new control point within 100 ms,
simulation time progresses. As ex- the maximum interval a local mini-
pected, Tail Drop generally keeps its mum is valid. It is an open question
buffer full, delaying packets by the whether anything should be done to
amount of time it takes to transmit speed this; preliminary studies show
it is better not to attempt to “clear
out” the backlog. If rate changes of an
order of magnitude or more several
times a minute are common, then the
RED 95th Percentile Delay (sec)
issue may require further study.
0.06
Comparing the kilobytes trans-
0.04
ferred with the queue delay, it is easy
to see that long delays are not required
0
RED Median Delays (sec) for high utilization. CoDel transfers
0.02
almost the same total kilobytes as Tail
0.01 Drop, with the differences coming at
the rate jumps (150 and 250 seconds),
150 200 500
where CoDel’s FTPs have to ramp
10 30 50 100 150 200 500
(c) up to fill the new pipe size while Tail
Drop’s queues send their backlog. Un-
1.0 RED Median Link Utilizations
dersized buffers are not the answer
0.9 to bufferbloat. Figure 7 shows the
same scenario using 10 packet buf-
0.8
fers, a size suitable for the 1Mbps rate.
0.7 Throughput is about 75% less for all
three schemes (Tail Drop and CoDel
0.6
are identical). Tail Drop tends to keep
0.5 its 10-packet buffer full, which would
result in a worst-case delay of 120ms
150 200 500 10 30 50 100 150 200 500
(d) but with 25% of the throughput that
can be achieved with a large CoDel-
managed buffer—which gets a medi-

48 comm unicatio ns o f the acm | j u ly 201 2 | vol . 5 5 | no. 7

 practice

an delay of 2.7ms, 75th percentile de-
lay of 5ms, and is less than 90ms 95%
of the total simulation time.
Dropping the Right Packets
Although most network analysis today
assumes connections with an unload-
ed 100-ms RTT, in practice RTTs vary.
Unless a path includes a satellite link,
RTTs in the one-second range are usu-
ally caused by bufferbloat, not the in-
trinsic path characteristics. At the con-
sumer edge, few connections will have
less than a 30ms RTT. Since CoDel’s in-
terval is weakly related to RTT, we test-
ed the effectiveness of a 100-ms setting
over a wide range of likely RTTs and
report on the range from 10ms–500ms.
Figure 8 shows results for a variety
of traffic loads, sorted by RTT. Both
CoDel and RED keep the median delay
low, but CoDel has higher link utiliza-
tions and better drop-share fairness,
showing that CoDel’s design is more
effective at dropping the right pack-
ets. CoDel’s utilization is very close to
that of Tail Drop (except for an RTT
of 500ms) but with much less delay.
CoDel’s performance metrics are not
significantly different between 30ms
and 200ms RTTs. Utilizations are
slightly less and have a larger range
as the RTT increases, because some
traffic loads have difficulty keeping
the larger pipe full. The 500ms RTT
utilization shows more variation, the
make drops less randomly distributed
while CoDel gets randomness from the
independence of drop intervals and
packet arrivals.
Consumer Edge
This scenario roughly emulates a con-
sumer edge for two (symmetric) band-
widths: 512KB and 1.5MB. The load
includes a two-way 64Kbps CBR (VoIP-
like), an infinite FTP as a download,
Web browsing at a rate of two connec-
tions per second, and uploads of small
FTPs—1MB with short idle periods (5
to 15 seconds, uniformly distributed)
between. The table lists results, where
“C” is CoDel and “T” is Tail Drop and
each link direction is shown separately.
Although CoDel never drops packets at
a higher rate than Tail Drop, it keeps a
much smaller queue and transfers sim-
ilar amounts of data, offering encour-
agement for taming bufferbloat.
The experiments presented here
mainly consist of “forward” traffic
where all the data traffic is going in the
analyzed direction. Reverse traffic has
well-known issues of ack compression
or data pendulum, which tend to push
Figure 9. Jain fairness for drop share, CoDel (shown in black) and RED (shown in red).
Fairness Index of Source Drop Share
1.0
0.8
the delay up and the utilization down.
There are known mitigations to im-
prove the mixing of acks and data pack-
ets that will be performed in the home-
router implementation. Even the
unmitigated simulation experiments
showed acceptable performance.
AQM is not a substitute for differen-
tiated queuing to provide priority for
packets that need low latency and jit-
ter. We have had a lot to say in the past
about solutions for that type of traffic;
AQM should be employed on the pack-
et queues handling common Internet
traffic and a Delay Bound per-hop be-
havior used for latency sensitive traffic.
CoDel lends itself to efficient imple-
mentation in Linux-based routers, cru-
cial to deployment at the edge. Other
AQM implementations require locks
on the queue that are not necessary for
CoDel. There are also a small number
of state variables. We believe CoDel’s
algorithm can be efficiently imple-
mented in silicon.
Manage the Right Queue
At this point, a savvy user could be
tempted to deploy CoDel through

low end corresponding to single FTPs, 0.6

which have difficulty keeping a very
large pipe full. 0.4
Figure 9 compares the Jain fairness
index for the source-drop shares of 0.2

CoDel and RED for these runs. CoDel 0

consistently outperforms RED for this 10 30 50 100 150 200 500
metric. This seems to be, in part, be-
cause the changes to the original RED

Consumer edge example.

512Kbps Links 1.5Mbps Links

download upload download upload
metric C T C/T C T C/T C T C/T C T C/T
pkt drop % 8 8 100% 1.5 5.8 25% 3.5 4.7 75% 1.4 2.5 56%
median delay 18 73 25% 9 37 25% 8 49 17% 0 0 100%
(ms)
total Mbytes 17 18 95% 13 14 92% 37 40 92% 22 21 103%
fairness 0.87 0.9 98% 0.9 0.9 104% 0.8 1 84% 0.6 0.7 85%
of drops

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 49
practice
Figure 10. Rate mismatch in a cable modem.
CPE Router
Ethernet
user Scheduler
(100 Mbps–1Gbps)
pkts
When uplink is heavily utilized
the router buffers will fill
a CeroWrt-enabled edge router to
make bufferbloat disappear. Unfor-
tunately, large buffers are not always
located where they can be managed
but can be ubiquitous and hidden.6,7
Examples include consumer-edge
routers connected to cable modems
and wireless access points with ring
buffers. Many users access the In-
ternet through a cable modem with
varying upstream link speeds: 2 Mbps
is a typical value. The home network
or home computer connects to the
cable modem with an Ethernet cable
in the range of 100Mbps–1Gbps (Fig-
ure 10). The modem’s buffers are at
the fast-to-slow transition, and that is
where queues will build up: inside a
sealed device outside of user control.
Any differentiated services (DiffServ)
queuing and buffer management at
the router can be defeated by a full
queue in the cable modem. Three ap-
proaches have been suggested: limit
the Ethernet link to the upstream
rate; put buffer management and Dif-
fServ queues in the cable modem with
a configuration interface for the Diff-
Serv queues; and implement Ethernet
flow control between the modem and
the upstream router.
Option 1 has the advantage that it
can be implemented by a user with-
out cable-modem changes and the
disadvantage that it must rate limit to
the expected rate of the upstream. If
the rate drops, then a queue will still
build up in the cable modem, and any
additional short-term bandwidth can-
not be utilized. Option 2 puts buffer
management right at the bottleneck
link but requires the vendor to make
(possibly significant) changes to the
modem architecture and permit con-
figuration. Option 3 also requires
50 c om municatio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7
Cable Modem
upstream
CM buffer
(2Mbps-?)
Rate mismatch will
cause CM buffer to fill
(bufferbloat) and may
cause priority inversion
vendors to make changes but uses
Ethernet flow control to permit only
the number of packets in the modem
buffer needed for good transmission
utilization while pushing the queue
into the router where it can be man-
aged and where new algorithms can
be more readily deployed. Options 2
or 3 are preferable but require a cable-
modem vendor and/or a cable data
network service provider to make this
part of the modem requirements.
A modern AQM is just one piece of
the solution to bufferbloat. Concat-
enated queues are common in packet
communications with the bottleneck
queue often invisible to users and many
network engineers. A full solution has
to include raising awareness so that the
relevant vendors are both empowered
and given incentive to market devices
with buffer management.
Next Steps
The open source project CeroWrt3 is
using OpenWrt to explore solutions to
bufferbloat. A CoDel implementation
is in the works, after which real-world
data can be studied. We plan to make
our ns-2 simulation code available, as
well as some further results.19 Van Jacobson is a Research Fellow at PARC where he
Related articles
on queue.acm.org
Bufferbloat: Dark Buffers in the Internet
Jim Gettys, Kathleen Nichols
http://queue.acm.org/detail.cfm?id=2071893
Revisiting Network I/O APIs:
The netmap Framework
Luigi Rizzo
http://queue.acm.org/detail.cfm?id=2103536
The Robustness Principle Reconsidered
Eric Allman
http://queue.acm.org/detail.cfm?id=1999945
References
1. Braden, R. et al. Recommendations on queue
management and congestion avoidance in the
Internet. RFC 2309 (1998).
2. Bufferbloat Project; http://www.bufferbloat.net.
3. CeroWrt Project; http://www.bufferbloat.net/projects/
cerowrt.
4. Dischinger, M. et. al. Characterizing residential
broadband networks. In Proceedings of the Internet
Measurement Conference, San Diego, CA, 2007.
5. Floyd, S. and Jacobson, V. Random early detection
gateways for congestion avoidance. IEEE/ACM
Transactions on Networking, (1993).
6. Gettys, J. Bufferbloat: Dark buffers in the Internet.
Backspace Column. IEEE Internet Computing 15, 3
(2011), 95-96.
7. Gettys, J. and Nichols, K. 2011. Bufferbloat: Dark
buffers in the Internet. Commun. ACM 9, 11 (Sept.
2011) 57–65.
8. Jacobson, V. Congestion avoidance and control.
Proceedings of SIGCOMM ’88, (Stanford, CA, 1998).
9. Jacobson, V. Reported in Minutes of the Performance
Working Group. Proceedings of the Cocoa Beach
Internet Engineering Task Force. Corporation for
National Research Initiatives, Reston, VA, 1989.
10. Jacobson, V. Notes on using RED for queue
management and congestion avoidance. Talk
presented at North American Network Operators’
Group (1998); ftp://ftp.ee.lbl.gov/talks/vj-nanog-red.pdf.
11. Jacobson, V. A rant on queues. A talk presented at
MIT Lincoln Labs, Lexington, MA, 2006; http://www.
pollere.net/Pdfdocs/QrantJul06.pdf.
12. Jacobson, V., Nichols, K. and Poduri, K. RED in a
different light, 1999; http://www.cnaf.infn.it/~ferrari/
papers/ispn/red_light_9_30.pdf.
13. Kreibich, C. et. al. Netalyzr: Illuminating the edge
network. In Proceedings of the Internet Measurement
Conference, (Melbourne, Australia, 2010).
14. Li, T. and Leith, D. Adaptive buffer sizing for TCP
flows in 802.11e WLANs. In Proceedings of the 2008
Communications and Networking in China.
15. Mankin, A. Random drop congestion control. In
Proceedings of SIGCOMM ’90.
16. Mathis, M., Semke, J. and Mahdavi, J. The macroscopic
behavior of the TCP congestion avoidance algorithm.
ACM SIGCOMM Computer Communication Review 27,
3 (1997).
17. Nagle, J. Congestion control in IP/TCP internetworks.
RFC 896 (1984); http://www.ietf.org/rfc/rfc896.txt,.
18. Network Simulator - ns-2; http://nsnam.isi.edu/nsnam/
index.php/User_Information.
19. http://www.pollere.net/CoDel.html.
20. Vu-Brugier, G., et. al. 2007. A critique of recently
proposed buffer-sizing strategies. ACM SIGCOMM
Computer Communication Review 37(1).
21. Weigle, M. C. 2002. Web traffic generation in ns-2 with
PackMime-HTTP; http://www.cs.odu.edu/~mweigle/
research/packmime.
22. Feng, W. et. al. 2002. The BLUE Active Queue
Management Algorithm. IEEE/ACM Transactions on
Networking 10, 4 (2002), 513–528.
Kathleen Nichols is the founder and CTO of Pollere Inc.,
a consulting company working in both government and
commercial networking. She has 30 years of experience
in networking, including a number of Silicon Valley
companies and as a cofounder of Packet Design.
leads its content-centric networking research program.
He has worked at Lawrence Berkeley National Laboratory,
Cisco Systems, and was a cofounder of Packet Design.
© 2012 ACM 0001-0782/12/07 $15.00
 d oi:10.1145/ 2209249 . 2 2 0 9 2 6 5

Article development led by

queue.acm.org

Until our programming languages

catch up, code will be full of horrors.
By Poul-Henning Kamp

My Compiler
Does Not
Understand Me
Only lately— and after a long wait—have a lot of smart
people found audiences for making sound points
about what and how we code. Various colleagues have
been beating drums and heads together for ages trying
to make certain that wise insights about programming
stick to neurons. Articles on coding style in this and

other publications have provided fur-
ther examples of such advocacy.
As with many other educational ef-
forts, examples that are used to make
certain points are, for the most part,
good examples: clear, illustrative, and
easy to understand. Unfortunately,
the flame kindled by an article read
over the weekend often lasts only
until Monday morning rolls around
when real-world code appears on the
screen with a bug report that just does
not make sense—as in, “This can’t
even happen.”
When I began writing the Varnish
HTTP accelerator, one of my design
decisions—and I think one of my best
decisions—was to upgrade my OCD to
CDO, the more severe variant, where
you insist letters be sorted alphabeti-
cally. As an experiment, I pulled to-
gether a number of tricks and practic-
es I had picked up over the years and
turned them all up to 11 in the Varnish
source code. One of these tricks has
been called the red-haired stepchild
of good software engineering and is
widely shunned by most program-
mers for entirely wrong and outdated
reasons. So let me try to legitimize it
with an example.
Here is a surprisingly difficult pro-
gramming problem: What do you do
when close(2) fails?
Yes, close(2) does in fact return
an error code, and most programmers
ignore it, figuring that either: it can-
not fail; or if it does, you are in trouble
anyway, because obviously the ker-
nel must be buggy. I do not think it is
OK just to ignore it, since a program
should always do something sensible
with reported errors. Ignoring errors
means you have to deduce what went
wrong based on the debris it causes
down the road, or worse, that some

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 51
practice

criminal will exploit your code later
on. The one true ideal might appear
to be, “Keep consistent and carry on,”
but in the real world of connected and
interacting programs, you must make
a careful determination as to whether
it is better to abort the program right
away or to soldier on through adversi-
ty, only to meet certain ruin later.
Realizing that “I have only a very
small head and must live with it,”1 sen-
sible compromises must be made—
for example, a trade-off between the
probability of the failure and the effort
of writing code to deal with it. There
is also a real and valid concern about
code readability—handling unlikely
exceptions should not dominate the
source code.
In Varnish the resulting compro-
mise typically looks like this:
AN(vd);
AZ(close(vd->vsm _ fd));
AN is a macro that means Assert Non-
zero and AZ means Assert Zero, and
if the condition does not hold, the
program core-dumps right then and
there.
Yes, the red-haired stepchild I want
to sell you is the good old assert, which
I feel should be used a lot more in to-
day’s complicated programs. Where I
judge the probability of failure is rel-
evant, I use two other variants of those
macros, XXXAN and XXXAZ, to signal,
“This can actually happen, and if it
happens too much, we should handle
it better.”
retval = strdup(of);
XXXAN(retval);
return (retval);
This distinction is also made in the
dump message, which for AZ() is “As-
sert error” vs. XXXAZ()’s “Missing er-
ror-handling code.”
Where I want to ignore a return val-
ue explicitly, I explicitly do so:
(void)close(fd);
Of course, I also use “naked” asserts
to make sure there are no buffer over-
runs:

Figure 1. Mini objects. assert(size < sma->sz);

struct lru {
or to document important assump-
unsigned magic; tions in the code:
#define LRU_MAGIC 0x3fec7bb0
... assert(sizeof (unsigned short)
};
... == 2);
struct lru *l;
ALLOC_OBJ(l, LRU_MAGIC); But we are not done yet. One very typ-
XXXAN(l);
...
ical issue in C programs is messed-up
FREE_OBJ(l); lifetime control of allocated memory,
typically accessing a struct after it has
The ALLOC _ OBJ and FREE _ OBJ macros ensure that the MAGIC field is set to the randomly been freed back to the memory pool.
chosen nonce when that piece of memory contains a struct lru and is set to zero when it does not.
In code that gets called with an lru pointer, another macro checks asserts the pointer points Passing objects through void*
to what we think it does: pointers, as one is forced to do when
simulating object-oriented program-
int
foo(struct lru *l)
ming in C, opens another can of
{ worms. Figure 1 illustrates my brute-
CHECK_OBJ_NOTNULL(l, LRU_MAGIC); force approach to these problems.
... In terms of numbers, 10% of the
If the pointer comes in as a void *, then a macro casts it to the desired type and asserts its validity:
non-comment source lines in Varnish
static void * are protected with one of the asserts
vwp_main(void *priv) just shown, and that is not counting
{
what gets instantiated via macros and
struct vwp *vwp;
CAST_OBJ_NOTNULL(vwp, priv, VWP_MAGIC); inline functions.
...
A Method to the Madness
All this checking is theoretically re-
dundant, particularly the cases where
Figure 2. Compile time asserts. function A will check a pointer before
calling function B with it, only to have
function B check it again.
#define CTASSERT(x,z) _CTASSERT(x, __LINE__, z) Though it may look like madness,
#define _CTASSERT(x, y, z) __CTASSERT(x, y, z)
there is reason for it: these asserts
#define __CTASSERT(x, y, z) \
typedef char __ct_assert ## y ## __ ## z [(x) ? 1 : -1] also document the assumptions of the
... code. Traditionally, that documenta-
CTASSERT(sizeof(struct wfrtc_proto) == 32, \ tion appears in comments: “Must be
Struct_wfrtc_proto_has_wrong_size);
called with a valid pointer to a foobar
larger than 16 frobozz” and so on.
The problem with comments is the

52 c omm unic atio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7


compiler ignores them and does not
complain when they disagree with the
code; therefore, experienced program-
mers do not trust them either. Docu-
menting assumptions so the compiler
pays attention to them is a much better
strategy. All this “pointless checking”
grinds a certain kind of performance
aficionado up the wall, and more than
one has tried stripping Varnish of all
this “fat.”
If you try that using the standard-
ized -DNDEBUG mechanism, Varnish
does not work at all. If you do it a little
bit smarter, then you will find no rel-
evant difference and often not even a
statistically significant difference in
performance.
Asserts are much cheaper than they
used to be for three reasons:
˲˲ Compilers have become a lot
smarter, and their static analysis and
optimization code will happily remove
a very large fraction of my asserts, hav-
ing concluded that they can never trig-
ger. That is good, as it means I know
how my code works.
˲˲ The next reason is the same, only
the other way around: the asserts put
constraints on the code, which the
static analysis and optimizer can ex-
ploit to produce better code. That is
particularly good, because that means
my asserts actively help the compiler
produce better code.
˲˲ Finally, the sad fact is that today’s
CPUs spend an awful lot of time wait-
ing for stuff to come in from memo-
ry—and performing a check on data
already in the cache in the meantime
is free. I do not claim that asserts are
totally free—if nothing else, they do
waste a few nanojoules of electricity—
but they are not nearly as expensive as
most people assume, and they offer
a very good bang-for-the-buck in pro-
gram quality.
Intentional Programming
In the long term, you should not need
to use asserts, at least not as much as
I do in Varnish, because at the end of
the day, they are just hacks used to pa-
per over deficiencies in programming
languages. The holy grail of program-
ming is “intentional programming,”
where the programmer expresses his
or her exact and complete intention,
and the compiler understands it.
Looking at today’s programming lan-
guages, I still see plenty of time before
progress goes too far and we are no
longer stuck on compilers, but rather
on languages.
Compilers today know things about
your code that you probably never
realize, because they apply a chess-
grandmaster-like analysis to it. Pro-
gramming languages, however, do not
become better vehicles for expressing
intent; quite the contrary, in fact.
It used to be that you picked a
width for you integer variable from
whatever register sizes your computer
had: char, short, int, or long. But
how could you choose between a short
and a long if you did not know their ac-
tual sizes?
The answer is that you couldn’t, so
everybody made assumptions about
the sizes, picked variable types, and
hoped for the best. I do not know how
this particular mistake happened.
We would have been in much better
shape if the fundamental types had
been int8, int16, int32, and int64
from the start, because then pro-
grammers could state their inten-
tions and leave the optimization to
the compiler, rather than try to out-
guess the compiler.
Some languages—Ada, for exam-
ple—have done it differently, by allow-
ing range constraints as part of vari-
able declarations:
Month : Integer range 1..12;
This could be a pretty smooth and
easy upgrade to languages such as C
and C++ and would provide much-
needed constraints to modern compil-
er analysis. One particularly strong as-
pect of this format is that you can save
space and speed without losing clarity:
Door _ Height: Integer range
150..400;
This fits comfortably in eight bits,
and the compiler can apply the required
offset where needed, without the pro-
grammer even knowing about it.
Instead of such increased granu-
larity of intention, however, 22-plus
years of international standard-
ization have yielded <stdint.h>
with its uint_least16_t, to which
<inttypes.h> contributes PRIu-
LEAST16, and on the other side <lim-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
practice
it.h> with UCHAR _ MAX, UINT _
MAX, ULONG _ MAX, but, inexplicably,
USHRT _ MAX, which confused even
the person who wrote od(1) for The
Open Group.
This approach has so many things
wrong with it that I barely know where
to start. If you feel like exploring it, try
to find out how to portably sprintf(3)
a pid_t right-aligned into an eight-
character string.
The last time I looked, we had not
even found a way to specify the exact
layout of a protocol packet and the
byte-endianess of its fields. But, hey,
it is not like CPUs have instructions
for byte swapping or that we ever use
packed protocol fields anyway, is it?
Until programming languages catch
up, you will find me putting horrors as
those shown in Figure 2 in my source
code, to try to make my compiler un-
derstand me.
Related articles
on queue.acm.org
Reveling in Constraints
Bruce Johnson
http://queue.acm.org/detail.cfm?id=1572457
Sir, Please Step Away from the ASR-33!
Poul-Henning Kamp
http://queue.acm.org/detail.cfm?id=1871406
Coding Smart: People vs. Tools
Donn M. Seeley
http://queue.acm.org/detail.cfm?id=945135
References
1. Dijkstra, E.W. Programming considered as a human
activity (1965); http://www.cs.utexas.edu/~EWD/
transcriptions/EWD01xx/EWD117.html.
Poul-Henning Kamp ([email protected]) has
programmed computers for 26 years and is the inspiration
behind bikeshed.org. His software has been widely
adopted as “under-the-hood” building blocks in both open
source and commercial products. His most recent project
is the Varnish HTTP accelerator, which is used to speed up
large Web sites such as Facebook.
© 2012 ACM 0001-0782/12/07 $15.00
53
practice
doi:10.1145/ 2209249.2209266
˲˲ Metric in a bubble;
Article development led by ˲˲ Treating the metric;
queue.acm.org
˲˲ One-track metric; and
˲˲ Metrics galore.
Four common pitfalls in using software
metrics for project management. Knowing about these pitfalls will
help you recognize them and, hopeful-
By Eric Bouwers, Joost Visser, and Arie van Deursen ly, avoid them, which ultimately leads
to making your project successful. As

Getting What
a software engineer, your knowledge
of these pitfalls helps you understand
why project managers want to use soft-
ware metrics and helps you assist the

You Measure
managers when they are applying met-
rics in an inefficient manner. As an
outside consultant, you need to take
the pitfalls into account when pre-
senting advice and proposing actions.
Finally, if you are doing research in
the area of software metrics, knowing
these pitfalls will help place your new
metric in the right context when pre-
senting it to practitioners. Before div-
ing into the pitfalls, let’s look at why
software metrics can be considered a
Are software metrics helpful tools or a waste of time? useful tool.
For every developer who treasures these Software Metrics Steer People
mathematical abstractions of software systems “You get what you measure.” This
there is a developer who thinks software metrics are phrase definitely applies to software
project teams. No matter what you de-
invented just to keep project managers busy. Software fine as a metric, as soon as it is used to
metrics can be very powerful tools that help achieve evaluate a team, the value of the metric
moves toward the desired value. Thus,
your goals but it is important to use them correctly, as to reach a particular goal, you can con-
they also have the power to demotivate project teams tinuously measure properties of the
and steer development in the wrong direction. desired goal and plot these measure-
ments in a place visible to the team.
For the past 11 years, the Software Improvement Ideally, the desired goal is plotted
Group has advised hundreds of organizations alongside the current measurement to
indicate the distance to the goal.
concerning software development and risk Imagine a project in which the run-
management on the basis of software metrics. time performance of a particular use
We have used software metrics in more than 200 case is of critical importance. In this
case it helps to create a test in which
investigations in which we examined a single snapshot the execution time of the use case is
of a system. Additionally, we use software metrics to measured daily. By plotting this daily
data point against the desired value,
track the ongoing development effort of more than
Illustration by Gary Neill

and making sure the team sees this

400 systems. While executing these projects, we have measurement, it becomes clear to ev-
learned some pitfalls to avoid when using software ery one whether the desired target is
being met or whether the development
metrics in a project management setting. This actions of yesterday are leading the
article addresses the four most important of these: team away from the goal.

54 comm unicatio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7

cred it t k

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t he ac m 55
practice

Figure 1. The lines of code of a software system from January 2010 to July 2011. Even though it might seem simple,
this technique can be applied incor-
rectly in a number of subtle ways. For
Lines of code
350,000 example, imagine a situation in which
325,000 customers are unhappy because they
300,000 report problems in a product that are
275,000 not solved in a timely manner. To im-
250,000 prove customer satisfaction, the proj-
225,000
ect team tracks the average resolution
200,000
175,000
time for issues in a release, following
150,000 the reasoning that a lower average res-
125,000 olution time results in higher custom-
100,000 er satisfaction.
75,000 Unfortunately, reality is not so
50,000 simple. To start, solving issues faster
25,000
might lead to unwanted side effects—
0
Jan Mar May Jul Sep Nov Jan Mar May Jul
for example, a quick fix now could re-
2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 sult in longer fix times later because of
incurred technical debt. Second, solv-
ing an issue within days does not help
the customer if these fixes are released
Figure 2. Measuring lines of code in two different ways. only once a year. Finally, customers
are undoubtedly more satisfied when
Lines of code Lines no fix is required at all—that is, issues
400,000
375,000 do not end up in the product in the
350,000 first place.
325,000 Thus, using a metric allows you
300,000
275,000
to steer toward a goal, which can be
250,000 either a high-level business proposi-
225,000 tion (“the costs of maintaining this
200,000 system should not exceed $100,000
175,000
150,000
per year”) or more technically ori-
125,000 ented (“all pages should load within
100,000 10 seconds”). Unfortunately, using
75,000
metrics can also prevent you from
50,000
25,000 reaching the desired goal, depend-
0 ing on the pitfalls encountered. In the
Jan Mar May Jul Sep Nov Jan Mar May Jul remainder of this article, we discuss
2010 2010 2010 2010 2010 2010 2011 2011 2011 2011
some of the pitfalls we frequently en-
countered and explain how they can
be recognized and avoided.
Figure 3. Measuring number of files used.
What Does the Metric Mean?
Nr. of files Software metrics can be measured on
5,000 different views of a software system.
4,750
4,500 This article focuses on metrics calcu-
4,250
4,000 lated on a particular version of the code
3,750 base of a system, but the pitfalls also ap-
3,500
3,250 ply to metrics calculated on other views.
3,000 Assuming the code base contains
2,750
2,500 only the code of the current project,
2,250
2,000 software product metrics establish
1,750 a ground truth. Calculating only the
1,500
1,250 metrics is not enough, however. Two
1,000 more actions are needed to interpret
750
500 the value of the metric: adding context;
250
0 and establishing the relationship with
Jan Mar May Jul Sep Nov Jan Mar May Jul the goal.
2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 To illustrate these points, we use
the LOC (lines of code) metric to pro-

56 comm unicatio ns o f the ac m | j u ly 201 2 | vo l. 5 5 | no. 7


vide details about the current size of
a project. Even though there are mul-
tiple definitions of what constitutes
a line of code, such a metric can be
used to reason about whether the ex-
amined code base is complete or con-
tains extraneous code such as copied-
in libraries. To do this, however, the
metric should be placed in context,
bringing us to our first pitfall.
Metric in a bubble. Using a metric
without proper interpretation. Recog-
nized by not being able to explain what
a given value of a metric means. Can be
solved by placing the metric inside a con-
text with respect to a goal.
The usefulness of a single data
point of a metric is limited. Knowing
that a system is 100,000 LOC is mean-
ingless by itself, since the number
alone does not explain if the system is
large or small. To be useful, the value
of the metric should, for example, be
compared against data points taken
from the history of the project or from
a benchmark of other projects. In the
first scenario, you can discover trends
that should be explained by external
events. For example, the graph in Fig-
ure 1 shows the LOC of a software sys-
tem from January 2010 to July 2011.
The first question that comes to
mind here is: “Why did the size of the
system drop so much in July 2010?”
If the answer to this question is, “We
removed a lot of open source code
we copied in earlier,” then there is
no problem (other than the inclusion
of this code in the first place). If the
answer is, “We accidentally deleted
part of our code base,” then it might
be wise to introduce a different pro-
cess of source-code version manage-
ment. In this case the answer is that
an action was scheduled to drastically
reduce the amount of configuration
needed; given the amount of code that
was removed, this action was appar-
ently successful.
Note that one of the benefits of plac-
ing metrics in context is that it allows
you to focus on the important part of
the graph. Questions regarding what
happened at a certain point in time
or why the value significantly deviates
from other systems become more im-
portant than the specific details about
how the metric is measured. Often
people, either on purpose or by acci-
dent, try to steer a discussion toward
practice
“How is this metric measured?” in-
stead of “What do these data points
tell me?” In most cases the exact con-
struction of a metric is not important
To be useful, for the conclusion drawn from the data.
For example, consider the three plots
the value of shown in figures 2 and 3 represent-
the metric should
ing different ways of computing the
volume of a system. Figure 2 shows
be compared the lines of code counted as every
line containing at least one character
against data that is not a comment or white space
points taken from (blue) and lines of code counted as all
new line characters (orange). Figure 3
the history shows the number of files used.
of the project or The trend lines indicate that, even
though the scale differs, these vol-
from a benchmark ume metrics all show the same events.
of other projects. This means that each of these met-
rics is a good candidate to compare
the volume of a system against other
systems. As long as the volume of the
other systems is measured in the same
manner, the conclusions drawn from
the data will be very similar.
The different trend lines bring up
a second question: “Why does the vol-
ume decrease after a period in which
the volume increased?” The answer
can be found in the normal way in
which alterations are made to this
particular system. When the volume
of the system increases, an action is
scheduled to determine whether new
abstractions are possible, which is
usually the case. This type of refac-
toring can significantly decrease the
size of the code base, which results in
lower maintenance effort and easier
ways to add functionality to the sys-
tem. Thus, the goal here is to reduce
maintenance effort by (among others)
keeping the size of the code base rela-
tively small.
In the ideal situation a direct rela-
tionship exists between a desired goal
(such as, reduced maintenance effort)
and a metric (such as, a small code
base). In some cases this relationship
is based on informal reasoning (for ex-
ample, when the code base of a system
is small it is easier to analyze what the
system does); in other cases scientific
research has shown that the relation-
ship exists. What is important here is
that you determine both the nature of
the relationship between the metric
and the goal (direct/indirect) and the
strength of this relationship (informal
reasoning/empirically validated).
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i cat ion s o f t he acm 57
practice
Thus, a metric in isolation will not
help you reach your goal. On the other
hand, assigning too much meaning to
a metric leads to a different pitfall.
Treating the metric. Making altera-
tions just to improve the value of a met-
ric. Recognized when changes made to
the software are purely cosmetic. Can be
solved by determining the root cause of
the value of a metric.
The most common pitfall is mak-
ing changes to a system just to improve
the value of a metric, instead of trying
to reach a particular goal. At this point,
the value of the metric has become
a goal in itself, instead of a means
of reaching a larger goal. This situa-
tion leads to refactorings that simply
“please the metric,” which is a waste
of precious resources. You know this
has happened when, for example, one
developer explains to another develop-
er that a refactoring needs to be done
because “the duplication percentage
is too high,” instead of explaining that
multiple copies of a piece of code can
cause problems for maintaining the
code later on. It is never a problem that
the value of a metric is too high or too
low: the fact this value is not in line
with your goal should be the reason to
perform a refactoring.
Consider a project in which the
number of parameters for methods
is high compared with a benchmark.
When a method has a relatively large
number of parameters (for example,
more than seven) it can indicate that
this method is implementing dif-
ferent functionalities. Splitting the
method into smaller methods would
make it easier to understand each
function separately.
A second problem that could be sur-
facing through this metric is the lack of
a grouping of related data objects. For
example, consider a method that takes
as parameters a Date object called
startDate and another called end-
Date. The names suggest that these
two parameters together form a Date-
Period object in which startDate
will need to be before endDate. When
multiple methods take these two pa-
rameters as input, introducing such a
DatePeriod object to make this ex-
plicit in the model could be beneficial,
reducing both future maintenance ef-
fort, as well as the number of param-
eters being passed to methods.
58 com municatio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7
Sometimes, however, parameters
are, for example, moved to the fields
of the surrounding class or replaced by
a map in which a (String,Object)
The most common pair represents the different param-
eters. Although both strategies reduce
pitfall is making the number of parameters inside
changes to
methods, it is clear that if the goal is to
improve readability and reduce future
a system just maintenance effort, then these solu-
tions are not helping. It could be that
to improve this type of refactoring is done because
the value the developers simply do not under-
stand the goal and thus are treating the
of a metric, symptoms. There are also situations,
instead of trying however, in which these non-goal-ori-
ented refactorings are done to game
to reach the system. In both situations it is im-
a particular goal. portant to make the developers aware
of the underlying goals to ensure that
effort is spent wisely.
Thus a metric should never be used
as-is, but it should be placed inside
a context that enables a meaningful
comparison. Additionally, the rela-
tionship between the metric and de-
sired property of your goal should be
clear; this enables you to use the met-
ric to schedule specific actions that
will help reach your goal. Make sure
the scheduled actions are targeted
toward reaching the underlying goal
instead of only improving the value of
the metric.
How Many Metrics Do You Need?
Each metric provides a specific view-
point of your system. Therefore, com-
bining multiple metrics leads to a bal-
anced overview of the current state of
your system. The number of metrics to
be used leads to two pitfalls, we start
with using only a single metric.
One-track metric. Focusing on only a
single metric. Recognized by seeing only
one (or just a few) metrics on display.
Can be solved by adding metrics relevant
to the goal.
Using only a single software metric
to measure whether you are on track
toward your goal reduces that goal to
a single dimension (that is, the metric
that is currently being measured). A
goal is never one dimensional, how-
ever. Software projects experience
constant trade-offs between delivering
desired functionality and nonfunc-
tional requirements such as security,
performance, scalability, and main-
tainability. Therefore, multiple met-

rics are necessary to ensure that your
goal, including specified trade-offs,
is reached. For example, a small code
base might be easier to analyze, but if
this code base is made of highly com-
plex code, then it can still be difficult
to make changes.
In addition to providing a more bal-
anced view of your goal, using multiple
metrics also assists you in finding the
root cause of a problem. A single met-
ric usually shows only a single symp-
tom, while a combination of metrics
can help diagnose the actual disease
within a project.
For example, in one project the
equals and hashCode methods
(those used to implement equality
for objects in Java) were among the
longest and most complex methods
within the system. Additionally, a rela-
tively large percentage of duplication
occurred in these methods. Since they
use all the fields of a class, the metrics
indicate that multiple classes have a
relatively large number of fields that
are also duplicated. Based on this ob-
servation, we reasoned the duplicated
fields form an object that was miss-
ing from the model. In this case we
advised looking into the model of the
system to determine whether extend-
ing the model with a new object would
be beneficial.
In this example, examining the met-
rics in isolation would not have led to
this conclusion, but by combining sev-
eral unit-level metrics, we were able to
detect a design flaw.
Metrics galore. Focusing on too many
metrics. Recognized when the team ig-
nores all metrics. Can be solved by reduc-
ing the number of metrics used.
Although using a single metric over-
simplifies the goal, using too many
metrics makes it difficult (or even
impossible) to reach your goal. Apart
from making it hard to find the right
balance among a large set of metrics,
it is not motivating for a team to see
that every change they make results in
the decline of at least one metric. Ad-
ditionally, when the value of a metric
is far off the desired goal, then a team
can start to think, “We will never get
there, anyway,” and simply ignore the
metrics altogether.
For example, there have been mul-
tiple projects that deployed a static-
analysis tool without critically exam-
ining the default configuration. When
the tool in question contains, for ex-
ample, a check that flags the use of a
tab character instead of spaces, the
first run of the tool can report an enor-
mous number of violations for each
check (running into the hundreds of
thousands). Without proper inter-
pretation of this number, it is easy to
conclude that reaching zero violations
cannot be done within any reasonable
amount of time (even though some
problems can easily be solved by a
simple formatting action). Such an in-
correct assessment sometimes results
in the tool being considered useless
by the team, which then decides to ig-
nore the tool.
Fortunately, in other cases the
team adapts the configuration to suit
the specific situation by limiting the
number of checks (for example, by
removing checks that measure highly
related properties, can be solved auto-
matically, or are not related to the cur-
rent goals) and instantiating proper
default values. By using such a specific
configuration, the tool reports a lower
number of violations that can be fixed
in a reasonable amount of time.
To ensure all violations are fixed
eventually, the configuration can
be extended to include other types
of checks or more strict versions of
checks. This will increase the to-
tal number of violations found, but
when done correctly the number of
reported violations does not demo-
tivate the developers too much. This
process can be repeated to extend the
set of checks slowly toward all desired
checks without overwhelming the de-
velopers with a large number of viola-
tions at once.
Conclusion
Software metrics are useful tools for
project managers and developers
alike. To benefit from the full potential
of metrics, keep the following recom-
mendations in mind:
˲˲ Attach meaning to each metric by
placing it in context and defining the
relationship between the metric and
your goal, while at the same time avoid
making the metric a goal in itself.
˲˲ Use multiple metrics to track dif-
ferent dimensions of your goal, but
avoid demotivating a team by using too
many metrics.
ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n ic at ion s o f t he acm
practice
If you are already using metrics in
your daily work, try to link them to
specific goals. If you are not using any
metrics at this time but would like to
see their effects, we suggest you start
small: define a small goal (methods
should be simple to understand for
new personnel); define a small set of
metrics (for example, length and com-
plexity of methods); define a target
measurement (at least 90% of the code
should be simple); and install a tool
that can measure the metric. Commu-
nicate both the goal and the trend of
the metric to your colleagues and ex-
perience the influence of metrics.
Related articles
on queue.acm.org
Making a Case for Efficient Supercomputing
Wu-chun Feng
http://queue.acm.org/detail.cfm?id=957772
Power-Efficient Software
Eric Saxe
http://queue.acm.org/detail.cfm?id=1698225
Sifting Through the Software
Sandbox: SCM Meets QA
William W. White
http://queue.acm.org/detail.cfm?id=1046945
Eric Bouwers (at [email protected] ) is a software
engineer and technical consultant at the Software
Improvement Group in Amsterdam, The Netherlands.
He is a part-time Ph.D. student at Delft University of
Technology. He is interested in how software metrics
can assist in quantifying the architectural aspects of
software quality.
Joost Visser ([email protected] ) is head of research
at the Software Improvement Group in Amsterdam,
The Netherlands, where he is responsible for innovation
of tools and services, academic relations, and general
research. He also holds a part-time position as professor
of large-scale software systems at the Radboud
University Nijmegen,The Netherlands.
Arie van Deursen ([email protected]) is a
full professor in software engineering at Delft University
of Technology, The Netherlands, where he leads the
Software Engineering Research Group. His research
topics include software testing, software architecture,
and collaborative software development.
© 2012 ACM 0001-0782/12/07 $15.00
59
contributed articles
d oi:10.1145/ 2209249.2209267
Japan). By exploring the traditional
A searchable meta-graph can connect even expressions of group members across
time and space, scholars can develop
troublesome house elves and other a sophisticated understanding of the
supernatural beings to scholarly folk categories. complex processes of culture develop-
ment and change.
by James Abello, Peter Broadwell, Since inception of the field in the
and Timothy R. Tangherlini 19th century, folkloristics has been
based on a three-part process:

Computational
˲˲ Fieldwork consisting of the identi-
fication of a folk group and the collec-
tion of its traditions;
˲˲ Archiving, editing, and publishing

Folkloristics
these collections; and
˲˲ Analyzing the collected folklore
based on a single or combination of
multiple theoretical perspectives.
For the most part, folklorists limit
their studies to small, well-defined
collections or subsets of much larger
collections. A study corpus is often
selected based on criteria like genre
or topic. The “variants” in the result-
ing study corpus are then subjected to
“close readings”; from an ethnograph-
The study of folklore, or folkloristics, is predicated on ic perspective, close readings focus on
analysis of the symbolic aspects of the
two premises: traditional expressive culture circulates expression as an important meaning-
across and within social networks, and discrete making process for storytellers and
“performances” of traditional expressive forms their audiences. Conclusions drawn
from close readings are subsequently
serve an important role as the locus for the ongoing abstracted to make more general com-
negotiation of cultural ideology (norms, beliefs, and ments about the changing contours of
the cultural ideology of the group in
values). The underlying assumption is that folklore question. This approach has worked
emerges from the dialectic tension between individual well for generations of folklorists, par-
members of a cultural group on the one hand and the ticularly in the context of the relatively
small size of accessible collections
“traditions” of that group on the other. This ongoing and the general alignment of research
tug-of-war ensures that traditional expressive culture
is constantly changing, adjusting to the needs of the key insights
individuals within a group.  T he field of computational folkloristics
weds algorithmic approaches to classic
The goal of any folkloristic investigation is to interpretive problems from the field of
folklore.
understand how traditional expressions create
 A multimodal network representation of
meaning for the people who create and receive them; a folklore corpus (hypergraphs) liberates
folklore exploration from the limitations
studies range from a consideration of fairy-tale of existing classification schemes.
telling by 19th-century peasants (such as in the classic  I magine a system in which the
works of the Grimm brothers) to analysis of rumor complexities of a folklore corpus can be
explored at different levels of resolution,
propagation in the aftermath of disasters (such as from the broad perspective of “distant
reading” down to the narrow perspective
Hurricane Katrina in 2005 and the 2011 tsunami in of traditional “close reading.”

60 com munic atio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7

 questions with existing archival-find-
ing aids.
As folklore collections are increas-
ingly digitized, and as Web-based so-
cial media sites become established
loci for the circulation of traditional
expressive forms, earlier methods of
folklore scholarship have begun to
falter for several reasons: First, it is
increasingly difficult to determine the
boundaries of a study corpus, not only
because existing “finding aids” that
rely on hand-indexing have not kept up
with the growth of digital resources but
also because modern research ques-
tions no longer align with the origi-
nal ideas underpinning the early aids.
Second, the size and scope of folklore
corpora have increased so dramatically
it is impossible to apply close-reading
methods to even a fraction of the items
in a study corpus.
Due to this dramatic change in the
scholarly landscape, where issues of
access no longer pose absolute limits
on the scope of a study, scholarship
in folklore, as in the humanities as a
whole, must adapt to a new environ-
ment where many thousands, if not
millions, of texts are readily available.
At the same time, canonical ap-
proaches to corpus selection that guar-
anteed high precision but also resulted
in low recall are more difficult to de-
fend intellectually. Whereas a scholar
could, until recently, reasonably pro-
pose a study focused exclusively on,
say, the several hundred folksongs
indexed in the Child collection of the
Anglo-American ballad,8 the availabil-
ity of many more related texts from the
same time period or the same cultural
area necessitates that the scholar ac-
knowledge this greatly expanded do-
main. This fundamental change in the
accessibility and size of target domains
is a welcome development but also re-
quires that folklorists augment exist-
Illustrations by J.F. Podevin

ing methodologies to take advantage

of the change in scope.
Along with increased accessibility of
machine-readable primary-source ma-
terials in the form of digitized archives
(such as The Danish Folklore Archive),

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he ac m 61
contributed articles
born-digital archives (such as The Sho-
ah Foundation Visual History Archive),
and enormous informal repositories of
personal interaction (such as Facebook
and Twitter), there has been an equally
rapid increase in methodologies for
search and discovery in large, poorly
labeled corpora (such as Google). How-
ever, many of these new algorithmic
approaches for search, discovery, and
analysis developed for the Web do not
readily translate to the disconnected
realm of most collections of literature
or folklore. On the other hand, many of
the research questions scholars want
to address—generally inconceivable
prior to wide-scale availability of large
digital corpora—demand more target-
ed approaches than those developed
for the biological and physical scienc-
es, scientific co-citation networks, and
e-commerce. Availability of substan-
tial digital folklore corpora ultimately
speaks of the need for computational
folkloristics.
As a sub-discipline of folklore, com-
putational folkloristics encompasses:
˲˲ Digitization of existing resources
or collection of new resources in ma-
chine-actionable form;
˲˲ Development of extensible data
structures for description and storage
of these resources;
˲˲ Novel methods for classifying folk-
lore data based not only on existing
classification schemes and metadata
but also on surface-level phenomena
(such as the linguistic features of texts);
˲˲ Domain-sensitive methods for
search and discovery; and
˲˲ Algorithmic methods for cor-
pus study, including visually rich
approaches that fuse statistical rep-
resentations of the data with appro-
priate historical maps,35 as well as
combinatorial graph analytical ap-
62 communicatio ns o f the ac m | j u ly 201 2 | vol . 5 5 | no. 7
proaches (such as network-based role
discovery).30
These methods augment, rather
than supplant, earlier close-reading
methods prevalent in folklore, allow-
ing for a more consistent approach to
the selection of study materials for a
given research question. Ideally, one
should be able to move seamlessly be-
tween a bird’s-eye view of the overall
study corpus and the complex inter-
connections among people, places,
and artifacts that underpin the corpus
at one end of the spectrum and the
close reading that has characterized a
great deal of prior folklore scholarship
at the other.
Distant Reading
In 2000, Franco Moretti25 proposed the
theoretically rich concept of “distant
reading,” anticipating the profound
changes in humanities scholarship
presaged by developments in informa-
tion technology. In Moretti’s analysis
“Distance… is a condition of knowl-
edge: It allows you to focus on units
that are much smaller or much larger
than the text: devices, themes, tropes—
or genres and systems.”25 Distant read-
ing is thus a complementary approach
to the close-reading approaches that
have characterized humanities re-
search for centuries. It is a particularly
apt approach for folklore, since folklor-
ists are not only interested in the par-
ticular features of a discrete text but
also the much broader picture of how
that discrete text (or performance) fits
into the wide range of traditional ex-
pression through time and space.
We endorse this view of the need to
fuse close reading and distant read-
ing. The backbone of computational
folkloristics must leverage current
technological developments that allow
us to semantically interconnect large
amounts of data and explore them
relatively easily in integrated analyti-
cal and visual environments inexpen-
sively. Here, we outline some of the
components of an ideal computational
folkloristics system and the main ele-
ments that provide quick classification
of a large, poorly labeled corpus cou-
pled with intuitive visual navigation.
This system would allow a researcher
to explore the complex relationships
among tradition participants (the
people in the tradition group), the his-
torical and geographic environment in
which they lived and worked, and the
folklore they created, and also allow for
incorporation of pertinent scholarly
feedback annotations. A central com-
ponent of such a system can be based
on “hierarchical graph maps,”21 an al-
gorithmic counterpart to distant read-
ing. Hierarchical graph maps fuse two
of the most common abstractions of
visual navigation—graphs and maps.
They also align with Moretti’s concep-
tualization of methods suited for the
implementation of distant reading in
the humanities.23
Limitation of Classification Schemes
Classification is a vexing first-order
problem in folklore. Since the field’s
inception in the 19th century, folklor-
ists have been concerned with the
classification of texts, devising nu-
merous classificatory systems. They
have evolved into a series of overlap-
ping and relatively shallow ontologies.
Genre classifications play an impor-
tant role in the organization of most
folklore collections, with, say, narra-
tive folklore being sorted into genres
(such as myth, folktale, legend, rumor,
fairy tale, and ballad).3 Such classifica-
tions are problematic as a model of
folklore production, given the vast ar-
ray of native genre distinctions from
target cultures that do not align with
scholarly categories.12 Other efforts
have concentrated on organizing folk-
lore by topics within a single genre
or group of closely associated genres
(such as folk tale and legend). Perhaps
best known is “The Types of Interna-
tional Folktales” commonly referred
to as the ATU index.37 The underlying
indexing philosophy of folklore type
indices, which exist for specific na-
tional traditions9 or specific genres,10
are best summed up as “one story/
one classification.” A slightly more
fine-grain index that allows for greater
overlap at the unit of “tale” focuses
on “motif,” or constitutive narrative
element of a tale. In it, a tale consists
of a series of motifs, and it is the mo-
tifs, rather than entire tales, that are
indexed, then cross-referenced to
published collections.13,36 In terms of
search and retrieval, these traditional
classifiers provide a high degree of
precision but, due to that precision,
sacrifice a great deal of recall. Recall
 contributed articles

is so low that searches based on the collected folklore from approximately in the published collection.
indices miss many potentially inter- 4,000 named individuals whose ages Since 1999, we have been digitiz-
esting variants. Although these clas- and life histories he meticulously re- ing and transcribing not only the pub-
sificatory schemes have served folk- corded. His collection spans more lished collection but also an unpub-
lorists for so long, the systems fail than 24,000 manuscript pages, includ- lished collection consisting largely of
dramatically when suddenly address- ing nearly a quarter-million stories, field-collection manuscript pages. We
ing tens of thousands or even hun- songs, proverbs, riddles, rhymes, and have extracted from Tang Kristensen’s
dreds of thousands of texts from pub- descriptions of everyday life. Approxi- memoirs, letters, and personal pa-
lished and unpublished collections. mately one-third of this collection has pers the names of his informants and
High-precision indices (such as been published in a series of printed the places these people lived. These
standard folklore type and motif) have volumes, organized first by genre and places, along with places mentioned
a second problem—cost of implemen- subsequently indexed according to in their stories, have been geo-coded
tation. When target collections are rel- Tang Kristensen’s own idiosyncratic using historical gazetteers. We also
atively small—dozens of examples to topic categories; these categories are extracted Tang Kristensen’s collecting
perhaps hundreds—classification sys- not consistent across the 80 volumes routes through Denmark indexed to
tems can be applied through manual
methods. But when target collections
expand to 10,000 or more examples,
they become much too costly to imple-
ment. This cost is amplified by the
need to revise and update existing indi-
ces and re-index existing collections, a
problem that is particularly acute when
the archives are open-ended and con-
tinuously growing (such as blog posts
about uprisings in the Middle East).
As a simple, historical example from
the Danish materials, no one has yet
classified (according to the ATU index)
the several thousand fairy tales in the
collections of the Danish Folklore Ar-
chive (http://www.dafos.dk), nor does it
seem anyone ever will. We may well be
nearing the end of the useful lifespan Figure 1. A simple GUI for exploring a subset of a folklore archive, here the Evald Tang
of single-classifier schemes, given their Kristensen collection, includes historical maps and the ability to drill down to images of the
collector’s field notes.
implementation costs and inability to
describe the complexity of tradition. So
how does a scholar perform search and
discovery to answer research questions
in folklore? What is needed is a system
for the automatic indexing of a collec-
tion that is flexible enough to allow for
shifting priorities of folklore research-
ers and that can adapt to a sudden
increase in the scale of the target do-
main. In the following sections, we de-
scribe one such approach to problems
in search and discovery based on a net-
work model of a folklore collection. As
our test corpus, we use a subset of the
Tang Kristensen collection of Danish
folklore housed at the Danish Folklore
Archives in Copenhagen.

Ghost Stories?
Evald Tang Kristensen, a schoolteach-
er in Jutland, Denmark, is today widely
regarded as the most prolific folklore
Figure 2. The faceted browsing system ETKspace (based on the mSpace faceted browser)
collector ever.35 Over the course of his allows users to quickly select a subset of the overall corpus based on multiple criteria (such
active collecting career, 1865–1923, he as storyteller, places mentioned, places of story collection, and date of collection).

ju ly 2 0 1 2 | vol . 55 | n o. 7 | c om m u n i c at ion s of t he acm 63

contributed articles
Table 1. Attributes for each story text.
Attributes Term frequency
Notes of keywords
Description A term frequency
count of keywords
selected from
the vocabulary
of the entire corpus;
keywords can
be bigrams.
Theory The underlying theory
of this approach is
known as “bag of words,”
where the vocabulary of
a given text is recognized
as meaning bearing.
Computed? Yes. Keywords were Not yet.
identified using AutoMap.
The vocabulary of each
individual story was
subjected to a stop word
filter (articles, pronouns,
prepositions, conjunctions)
and rudimentary stem-
ming (Snowball stemmer).
A term-frequency count
for each individual story
was computed based on
this limited vocabulary.
Benefits Can be computed quickly. Allows for comparison of
stories that share ontologically
similar content, even when
the vocabulary is divergent.
Challenges Although Danish is not
and highly inflected, there is
drawbacks a need to at the very
least stem the
vocabulary. Umlaut
and limited cases of
syncope introduce
inaccuracies into the
stemming. Without
stemming, inflected
forms of words are
counted as discrete
lemmata. Bag-of-words
approaches discard all
important grammatical
information that contrib-
utes to meaning making.
64 comm unicatio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7
Shallow-ontology
A shallow, hierarchical ontological A topic index to each
representation of each text
in the corpus. The nine top
categories—Actions or Events;
Animals; People; Places;
Resolution; Stylistics; Super-
natural Beings; Time, Season,
Weather; Tools, Items, and
Conveyances—along with 125
second-level categories, offer
a hierarchical overview of the
content elements of the story.
The underlying theory of this
approach is predicated on
Vladimir Propp’s Morphology of
the Folktale28 and, later, Alan
Dundes’s refinement of that
work.12 Dundes proposed that
individual elements of a story
(allomotifs) often fulfill a struc-
tural role in the narrative
(motifemes). The shallow
ontology first developed in
Tangherlini34 catalogs the stories’
content on multiple levels, allow-
ing comparison across stories
even when the vocabularies of
the stories are divergent.
For this work, we applied
the shallow ontology by hand
and are working on automating
the process using DanNet,
the Danish version of WordNet.
Evald Tang
Kristensen index
of Tang Kristensen’s
published collections.
Nearly all published
folklore collections include
their own topic indices
based on the collector’s
or editor’s evaluation of
“what the story is about.”
In Tang Kristensen’s
publications, he separated
the collections
first according to
genre, then according
to “top level” topics
(such as “Witches
and their Games”),
then into more specific
categories (such as
“Driving with three
wheels”).
No.
These are preexisting
indices that represent the
collector’s or editor’s his-
torical view of the collec-
tion; folklorists are familiar
with these indices.
The indices fall prey
to the “one-text-one-
classification” pitfall
of early folklore
classification systems.
Place Names Personal Names
A geo-referenced An index of the people
representation of mentioned in a story
places mentioned and the storytellers.
in a story and the
place where a story
was collected.
Folklore theory Recent folklore theory
has always been emphasizes the role of
concerned with storytellers in shaping tradition
the relationship as part of their own creative
between traditional and ideological expression.31
expression and People mentioned in stories
the physical help situate the stories in
environment.22 the local social environment.
Inclusion of
geo-referenced place
names here allows
one to explore the
geographic location
of stories in regard
to attributes related
to content.
Partially. The identifi- Partially. Named-entity
cation and alignment detection implemented in
of place names with Mallet was used to generate
historical place name a list of potential personal
gazetteers is a semi- names from the corpus.24
supervised operation; This list was aligned with
the de-duplication the partial list of personal
of place names in names in one of Tang
the corpus was Kristensen’s indices.
assisted by DDupe.4
Places mentioned The emphasis in folklore
reveal association theory on the role of the
between topics and individual in the creation of
places in the real tradition and the highly localized
world made by and historicized nature of much
storytellers. folkloric expression can be
captured by this index.
Many of the places Danish names are complex.
mentioned in stories A century of at times contradic-
are difficult to resolve tory laws have led to a situation
to existing place- where many people have a last
name gazetteers. name based on a patronymic
Some place names ending in -sen, with a limited
have changed over number (approximately 116)
the years, some have possible first components (such
ceased to exist, and as Pedersen from Peder’s son)
others are only known and a second last name derived
in local culture. entirely from place names.
Small orthographic The former phenomenon makes
variations in it difficult to align people
place-name spelling mentioned with external archival
also contribute to resources (such as a census),
some uncertainty. while the latter makes it difficult
to easily discern between place
names and personal names.
 contributed articles

places, people, and time. Moreover, we folklore collectors, and storytellers, as

have searched census data and church their country struggled toward greater
records to situate his informants in democratic freedom and free-market
both space and time. As part of this ef- organization. It also makes an excel-
fort, we developed two basic modules lent testbed for developing and testing
to address corpus navigation: The first tools for computational folkloristics.
is a relatively simple study environ- One of Tang Kristensen’s published
ment appropriate for exploration of a collections of legends includes the
subset of a larger corpus incorporat- following story: “It was the old coun-
ing rich biographical and interpretive selor from Skårupgård who came rid-
data, along with historically accurate ing with four headless horses to Tod-
maps (see Figure 1). The second is a bjærg church. He always drove out of
faceted browsing application intended the northern gate, and by the gate was
to help select corpus resources that can a stall. They could never keep the stall
be ported to more sophisticated study door closed. They had a farmhand cation schemes for the vast majority of
environments (see Figure 2). who closed it once after it had sprung folklore collections.
Although the work is far from com- open. But one night, after he’d gone to
plete, this growing window into the bed, something came after him and it Folk Story Hypergrahs
daily life of the rural population of late- lifted his bed straight up to the rafters Since folklore can be classified accord-
19th-century Denmark offers an intrigu- and crushed him quite hard. Then the ing to numerous criteria, connecting
ing glimpse into the conflicting agen- farmhand shouted and asked them to items together based on them allows
das—cultural, economic, intellectual, stop lifting him up there. ‘No, you’ve information to flow throughout the
and political—of scholars, amateur tormented us, so now you’ll die...’ I corpus. That is, building a multi-
heard that’s how two farmhands were modal network representation of the
Table 2. Attributes associated with DS IV crushed to death. He wanted to close corpus offers a stark contrast to the
650, the misclassified ghost story.
the door and then they never tried to compartmentalization of information
close it again.”32 represented by a singly classified print-
The story concerns a vengeful ed text model. As a bonus, a network
ETK Index Manor lords, ladies
and mistresses
haunt, yet Tang Kristensen classified it model of the corpus opens up the ap-
Places Mentioned Skårupgård, Todbjærg
as being about unnamed manor lords. plicability of multi-resolution network
Personal Names [none]
Consequently, a researcher interested analysis. The intention is to represent
in the relatively simple topic of ghost folklore as a dynamic hypergraph of
keyword frequency stories in late-19th-century Denmark people connected in time and space to
bed 2 would be unable to discover the story places and their stories. This represen-
church 1 through existing finding aids. Even in tation is extensible as more resources
counselor 1 the digital realm, the discovery of the become available. One can thus imag-
death 3 story as a ghost story is a challenge. ine a system that stores the social net-
door 4 Since it makes no overt mention of works of tradition participants, the
farm_hand 3 ghosts, simple keyword searching academic networks of scholars and
headless_horse 1 on Danish terms for ghosts (spøgelse, collectors, communication and trans-
night 1 genganger) would fail. Experiments portation networks linking geographi-
north 1 with supervised text classifiers, in this cal places, repertoire networks linking
old 1 case a naïve Bayes learner trained on storytellers to their stories, and finally
rafters 1 200 stories labeled “ghost stories” by linguistic and semantic networks that
riding 1 Tang Kristensen, also fails to classify link stories. The underlying theory is
stall 3 the story as a ghost story. Indeed, only that it is difficult to find something if
torment 1 a relatively high degree of domain ex- it is not connected to something else.
pertise would allow a researcher to find By connecting the three main actors
Shallow ontology Entry
the story, recognizing that headless of the folklore equation—people (sto-
Resolution Negative
animals are often related to hauntings. rytellers and scholars), places (where
Animals Farm animal
Unfortunately, headless animals are stories were collected and mentioned
Animals Horse
also related to portents and the devil in in stories), and stories (or folkloric ex-
Places Barn
Danish tradition; thus the recall of sto- pression in general)—a researcher can
Places Church
ries for a keyword search on the Danish discover not only specific texts but pat-
Actions or Death
term for “headless” (hovedløs) would terns in the network data not readily
Events
trigger the opposite problem with far apparent if the collection is presented
People Farmhand/Shepherd
greater recall than is probably help- in disconnected fashion. The result-
Supernatural Ghost/Revenant
Beings ful. The story is not an anomaly in the ing model of a folklore collection rests
collection but rather illustrative of the on a series of graphs, each describing
underlying problem of existing classifi- a mode of the complex folklore hy-

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n ic at ion s o f t he acm 65
contributed articles

pergraph or meta-network. This hy-
pergraph model of folklore offers the
potential for productively spanning
the distant-reading and close-reading
spectrum explored earlier.
Connections
Connecting texts to one another is
one of the most complex tasks of the
hypergraph-generation process. Net-
works describing the connection of
stories to their tellers and stories to
the places they mention are relatively
easy to generate since they are mainly
an alternative representation of the
corresponding databases. More com-
plex is generating <story to story>
networks based on multi-objective cri-
teria. As a case in point, one criterion
of our work is to not abandon earlier
Figure 3. Overview of the hypergraph browser for computational folkloristics. The target
ghost story (story id 340) is upper left, identified with a landmark. The story of the house elf
(nisse) is right of center, also identified with a landmark (story id 348). The upper navigation
screen shows a tree view of the organized hypergraph; the left panes provide navigation and
selection; the lower right includes a graph-navigation toggle. This hypergraph browser is
based on Abello et al.2
Figure 4. Overall story space for the test corpus, with a cluster selected for further inquiry.
systems of classification (such as the
tale type, motif indices, and collection-
specific indices) but incorporate the
information from them into the story
representation. More generally, the
chosen story representation should of-
fer mechanisms for incorporating ac-
cumulated scholarly knowledge. Con-
sequently, our approach is to model
each story as an attribute-valued vec-
tor, where the values of some attributes
are known a priori and others are com-
puted. Some attributes may take as val-
ues either simple scalars or “links” to
more complex structures or processes.
Other attributes may have associated
with them time-varying functions re-
cording a sequence of attribute values
over time, or a time series. We did not
incorporate time-varying attributes in
our initial limited experimental dataset
of stories; Table 1 lists the attributes
for stories in the corpus, and Table 2
lists the attributes of a single story.
The dataset includes 342 storytell-
ers and 942 stories, along with Tang
Kristensen’s topic index for two col-
lections—Danske sagn33 and Danske
sagn, ny række32—as the basis for the
network. We supplemented this infor-
mation with two additional weighted
graphs: The first was based on a simple
“shared keyword” weight computed
for each pair of stories. Using AutoMap
we generated a set of 1,201 keywords
shared among all stories across the
corpus, after eliminating pronouns,
prepositions, articles, and conjunc-
tions.7 This bottom-up approach gave
us an important view of the corpus
based on shared vocabulary across
texts. The second was a top-down ap-
proach that categorized stories accord-
ing to a shallow ontology for the corpus
developed specifically for the realm of
Danish folklore.35 Such shallow on-
tologies depend on domain expertise,
providing a view of the corpus attuned
to the “tradition dominants” of a par-
ticular tradition group.15,21,26 The use
of natural language processing (NLP)
tools in concert with DanNet, the Dan-
ish version of WordNet, may allow us
to develop further the first-generation
shallow ontology for the Danish folk-
lore corpus.27,29 Topic-modeling meth-
ods (such as Latent Dirichlet Alloca-
tion and Latent Semantic Analysis)
could be used as additional methods
for generating a <story to story>
graph.6,11,14 The advantage of the hyper-
graph model, or multimodal network,
is that new network representations
can be added to the overarching mod-
el as their applicability to the study of
folklore is further understood.
Our hope is that the end result is a
system with applicability for research-
ers working with a range of folklore
and ethnographic collections and ul-
timately for any collection or series
of collections of culturally expressive
forms. In our own earlier work, we ex-
plored development of a shallow ontol-
ogy for the Danish folklore collection
as a part of a method for revealing nar-
rative tendencies in the corpus based
on four attributes of the storytellers:
gender, occupation/class, age when
the stories were told, and education.35

66 c om municatio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7

 contributed articles

In 2000, when digitizing large collec- collection of key words of interest, or Figure 4). Based on this information,
tions became practical, we revisited known scholarly categorization. The a researcher might decide to place a
the coding of the stories from the 1994 system then brings up both a visual landmark tag in one of the story’s ele-
study35 and began refining the story- network representation of a “cluster” ments, get a projection of the meta-
attribute set into a consistent shallow of stories related to the target story, to- network on a particular subset of at-
ontology. We further refined the shal- gether with a Web link, to a color-cod- tributes, and/or provide feedback on
low ontology in 2008–2009 to develop ed textual representation of the related the perceived quality of the system’s
a geo-referenced topic browser for a stories and other pertinent scholarly suggested answer (see Figure 5). At
collection called the “Danish Folklore information (such as authors, places this point, the researcher can visually
Nexus” (http://projects.cdh.ucla.edu/ mentioned, and historical context or navigate to clusters of stories adjacent
danishfolklore) (see Figure 1) and a period where the story is placed) (see to the system-provided cluster, select
faceted browsing system for Danish
folklore still under development (http:// Figure 5. Close-up view of a selected story cluster focusing on stories concerning
economic threat.
etkspace.ucla.edu) (see Figure 2). Over
2008, the initial test corpus was coded
Note the clear semantic divide between terms in the upper half of the cluster graph
with attributes from the shallow ontol-
and terms in the lower half, with those in the upper half focusing on historical figures
ogy in a semi-supervised system. Tang- and those in the lower half focusing on supernatural figures.
herlini, an expert in Danish folklore,
checked automatic assignments made
by AutoMap’s thesaurus function for
accuracy.7 This iterative process of
expert checking of automatic assign-
ments also yielded further refinement
of the ontology.

Typical Folklore Tasks

The resulting network for our test cor-
pus includes 2,973 nodes with 52,663
edges, and the system’s design aims to
address two questions emblematic of
regular research problems in folklore:
˲˲ Given a poorly labeled target story
(such as the ghost story mentioned
earlier), how can the system place the
target story in a neighborhood of “simi-
lar” stories?; and Figure 6. Three related story clusters, expanded for discovery of candidate stories for
further exploration.
˲˲ Can the system suggest candidate
stories that would likely be of interest
to a folklore researcher?
The two related clusters are related more closely with supernatural threats. The cluster on the left
We addressed them through the fol- is bifurcated, with stories at the top related to robbers, theft, and murder, and those at the bottom
lowing basic computational modules related to Satan. In the cluster on the right, the stories at the top involve witches and animals related
of a system: to Satan, with both categories representing significant economic threat. The stories at the bottom
involve interaction with mound folk, a supernatural group closely related to economic issues.
Hypergraph Constructor → Hyper-
graph Projector → Hierarchical Graph
Map Constructor1 → Graph Naviga-
tor2 → Visual and Textual Selectors →
Landmark Annotators → Web Browser
Finder → Answer Verifier → Report
Generator → Hypergraph Curator
The system interface lets users in-
teract with each computational mod-
ule through textual input/output, tex-
tual search, drop-down menus and
tabs, mouse selectors, visual sliders,
zooming, a navigation wheel, a land-
mark annotator, and statistical reports
(see Figure 3).
Initial user interaction amounts
to specifying a target story descrip-
tor—choosing from a story identifier,

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i c at ion s o f t he acm 67

contributed articles
another story, and iterate the process
(see Figure 6). The system keeps the
user-selected landmarks as aggregated
counts that can be used by authorized
story “curators” to update the existing
hypergraph for future analysis. This in-
corporation of scholarly feedback is es-
sential for the system’s performance,
as it allows for the aggregation of ac-
cumulated expert knowledge, which
in turn helps guide researchers as they
navigate the hypergraph.
The graph-theoretic techniques we
applied to generate the final hierarchi-
cal graph map involve four major tasks:
˲˲ Define similarity measures in
stories;
˲˲ Construct a weighted graph among
stories, where the weight of the connec-
tion between two stories is obtained
through order-preserving transforma-
tions of their similarity measures;
˲˲ Decompose the graph(s); and
˲˲ Compute a “hierarchy tree” for the
obtained graph(s).
The similarities measures we used
are based on several algorithms, in-
cluding: Hellinger distance,23 weighted
Jaccard coefficient,19 cosine similar-
ity,18 and scholar-defined weights. The
measures are transformed through
Gaussian kernels and other standard
kernels20,30 that assign to every pair of
stories that share at least a minimum
set of attributes a corresponding simi-
larity weight. In general, the graphs ob-
tained through these transformations
vary depending on the type of simi-
larity measure used. Consequently,
we obtain a final weight between two
stories by computing a norm of their
similarity-weights vector. Because the
obtained graph has different density
“regions,” we follow the approach de-
scribed in earlier work by Abello et al.,2
decomposing the collection of stories
into maximal sub-graphs according to
their inherent k-connectivity. Each ob-
tained sub-graph is then clustered us-
ing an adapted version of Markov Clus-
tering.2 The entire process is encoded
in a data structure called a “hierarchy
tree” visually represented in the user
interface as a hierarchical graph map
(see Figure 3),2 constituting one of the
central modes of interaction between
user and story corpus. Worth noting is
that each cluster includes a unique as-
sociated label string that encodes its
“semantic” placement in the hierarchy
68 com municatio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
tree. These cluster labels can be used
to help provide and receive feedback
from scholars studying the corpus, as
well as judge the effectiveness of the
The trouble suggested classification.
with house elves Performance on the
Two Folklore Tasks
begins with The first task we included in the sys-
their unpredictable tem was to place the target story in a
neighborhood of closely related ghost
nature, which, stories. The system succeeded admira-
for folklorists, bly, moving the story from a group of
stories about manor lords in the origi-
makes them nal classification scheme to a neigh-
difficult to track borhood of stories about ghosts and
other supernatural beings that haunt
through the workers in farm buildings and barns—
landscape of a new implicit category that did not
exist in Tang Kristensen’s original in-
the story corpus. dices. Although we left success criteria
for this work fuzzy, we placed the target
story in the same part of the organized
meta-graph as several ghost stories
exhibiting certain topical similari-
ties; for example, another story where
a haunt makes it impossible to use
part of the farm appears nearby in the
hypergraph: “A woman died in a farm
in Dokkedal… and she showed herself
every noon at a specific place in one of
the rooms and always as a black shape.
Because of that, the room stood empty
for a long time, since nobody dared go
in there...”33
Perhaps more interesting is the sys-
tem’s ability to meet the second task—
suggest candidate stories, given the
researcher’s interest in a target story.
In this case, the visual representation
of the meta-network reveals a close af-
filiation of the target story with a story
not classified by Tang Kristensen as a
story about ghosts but as a story about
house elves (nisse), a category of super-
natural beings not usually considered
thematically related to ghosts: “When
they got home, the farmhand was
happy because now he’d gotten some-
thing to use for feed, and afterward
nis [a house elf] could go and feed the
animals just as much as he wanted to.
Then they got another farmhand, and
he didn’t want to let him go on like
that. But he got lifted up in his bed
and all the way up to the rafters, so he
lay there dead when people got up the
next morning.”33
The intersection between the target
story and this latter story, likewise not

classified as a ghost story and com-
pletely lost to the researcher using ear-
lier finding aids to find ghost stories in
the corpus, suggests the broad applica-
bility of the method. A researcher with
a specific story in hand can find stories
that relate to that story on a thematic
level, while another researcher, with-
out a particular target story in hand,
can discover neighborhoods of “like-
minded” stories. By adding or sub-
tracting network modes or by testing
different weights for edges in different
projections of the overall meta-net-
work, a researcher can quickly reorder
the folklore meta-graph for ongoing
discovery of information links not eas-
ily discovered through existing finding
aids. This information can be added
back into the now dynamic representa-
tion of the folklore corpus, allowing for
more sophisticated analysis of stories
and story patterns.
To the best of our knowledge no
well-established criteria exist for judg-
ing the performance of such a compu-
tational system. Evaluation requires
specification of a series of well-defined
tasks that engage potential users in a
“natural manner.” The two tasks we
defined earlier are typical of folklore
researchers, and the system performs
well in answering the folklorist’s ques-
tions. We also imagine other natural
tasks that might be used to evaluate
and refine the system. Two that seem
fundamental are “multiple key attri-
bute searching” and “cluster labeling.”
Because folklore research is predicated
on understanding the “context” of a
cultural expressive form, the visual rep-
resentation of the search results must
be a projection onto the overall hierar-
chical-graph-map view of the corpus.
Answers must be provided at human-
interactive rates, a performance crite-
rion our current system meets after the
initial hierarchical graph map for the
corpus has been computed.
Cluster labeling is an important
task for researchers in light of this new
interactive environment for the study
of a folklore corpus. Hierarchical graph
maps are presented to the researcher
visually and include the string-labeled
representations of the clusters in the
hierarchy tree; the system computes
the cluster labels. Researchers should
also be able to provide textual feed-
back about the labels for their select-
ed clusters, a feature we have not yet
implemented. The system could then
incorporate this researcher-generated
feedback in its labeling algorithms.
The more expert feedback the system
incorporates, the more definitive and
useful the cluster labels it could gener-
ate. Researchers’ inability to provide
a short textual description of a given
cluster could suggest the need for revi-
sion of similarity measures and cluster
methods. Such interaction between a
folklore system and researchers should
be central to improving the quality of
this type of classification system.
Extending the System
The goal of a scalable multilingual
folklore system necessarily relies on
NLP. Folklore has been collected in
many countries and languages and
from many eras. Each language poses
special challenges, from transcrip-
tion and representation in machine-
readable form to morphological and
syntactic complexity.a Higher-level
problems (such as named-entity detec-
tion and disambiguation, extracting
structural elements, and sentiment de-
tection) complicate the representation
of texts significantly. Our system does
not yet include narrative structures as
attributes of a story, as explored by El-
son and McKeown14 and Finlayson,16,17
Our own future work will include cod-
ing of narrative structure into the at-
tribute set of a given story, as it should
add additional insight into the target
folklore corpora. Finally, our system
does not include sentiment detection,
though it would be a useful extension
to be able to label texts or parts of texts
as expressing doubt or uncertainty or
characterizing the emotional aspects
of characters in stories, but it lies be-
yond our current capabilities.
One remaining yet potentially re-
warding challenge is the large-scale
digitization of folklore archives around
the world. Many folklore collections are
based on recordings of spoken dialects
or languages with poorly described or
nonexistent written grammars; not
surprisingly, many of them also have
a Our group is developing a system for automat-
ed lemmatization and morpho-syntactic tag-
ging for Old Icelandic (NSF # BCS-0921123);
modern Icelandic inflection is fully described,
allowing for more rapid lemmatization of
modern Icelandic texts.5
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
inconsistent orthographies, at times
varying from collector to collector.
Digitization will require close collabo-
ration among archivists, librarians,
computer scientists, and domain spe-
cialists. Indeed, one reason we chose
the Danish folklore archive as our ini-
tial target corpus was our team’s rep-
resentation in all these fields. Finally,
many folklore collections exist almost
entirely as audio and visual recordings,
posing significant challenges for digi-
tal archiving and requiring significant
advances in NLP technology before
they are accessible to a computational
folklore system.
The system’s generalizability de-
pends on these advances and develop-
ers’ ability to automatically recognize
and code narrative features and nar-
rative structures. As part of the effort
to extend our work to other corpora,
domain experts could develop shal-
low ontologies for other tradition areas
and other types of expressive forms.
Shallow ontologies for, say, Korean or
Mexican folklore would have to include
types of supernatural beings beyond
those currently described in the sys-
tem; for example, the Korean tokkaebi,
a blue gremlin with a particularly nasty
disposition, and the legendary Mexi-
can chupacabra, feared for its habit
of attacking and sucking the blood of
goats, would have to be incorporated
into ontologies describing these tradi-
tions. The advantage of shallow ontol-
ogy is that it is extensible at the level of
specific manifestations (such as nisse,
tokkaebi, duende, and chupacabra)
while also gathering these supernatu-
ral beings into a single higher-level cat-
egory as well. Researchers can further
extend the ontological categories to de-
scribe other cultural expressive forms,
from literary works (such as the novel)
69
contributed articles
to narrative expression (storytelling) in
social media.
Conclusion
In rural Denmark in the 19th century,
stories would reflect the trouble farm-
ers had with everything from ghosts
to house elves. The trouble with house
elves begins with their unpredictable
nature, which, for folklorists, makes
them difficult to track through the land-
scape of the story corpus. This explora-
tion of the contours of computational
folkloristics and our description of pre-
liminary experiments in multimodal
network classification for folklore cor-
pora offer not only the possibility of be-
ing able to track house elves but promis-
ing directions for future work.
One troubling aspect of working
with a large amount of humanities
data is that scholars often cannot see
the forest for the trees, to borrow a
folk expression. Moretti spoke con-
vincingly of distant reading, a correc-
tive to the long-standing tradition in
the humanities of very close reading.25
Distant reading allows scholars to “see
the forest,” discovering patterns that
might otherwise be obscured by too
close attention to the detail of a text or
performance; the same can be said of
the methods outlined here.
Fortunately, with these computa-
tional methods, researchers are able
to combine distant reading with close
reading. In so doing, they can inter-
rogate the relationship between folk
expressive culture and the individuals
who created and perpetuated these ex-
pressions in time and place. Computa-
tional folkloristics offers an opportu-
nity to read and interpret culture in a
more holistic fashion than ever before.
Acknowledgments
We wish to thank Nischal Devanur for
help in processing the data. We also
thank colleagues at the Institute for
Pure and Applied Mathematics (UCLA),
participants in Rice University’s “Tech-
nology, Cognition, and Culture” lec-
ture series, and Indiana University’s
“Networks and Complex Systems”
symposium for comments and sugges-
tions on earlier versions of this work.
The research was funded by an Ameri-
can Council of Learned Societies Digi-
tal Innovation Fellowship and National
Science Foundation grant IIS-0970179.
70 c om municatio ns o f the acm | j u ly 201 2 | vol . 5 5 | no. 7
Many of the ideas were developed at the
National Endowment for the Humani-
ties Institute for Advanced Topics in
Digital Humanities through “Networks
and Network Analysis for the Humani-
ties” NEH grant HT5001609. The work
of James Abello is partially supported
by the Center for Discrete Mathemat-
ics and Theoretical Computer Science
(DIMACS), Rutgers University, Piscat-
away, NJ, “Special Focus on Algorith-
mic Foundations of the Internet” NSF
grant #CNS-0721113, and mgvis.com
(http://mgvis.com), New Jersey. 2000.
References
1. Abello, J. Hierarchical graph maps. Computers &
Graphics 28, 3 (June 2004), 345–359.
2. Abello, J., van Ham, F. and Krishnan, N. ASK-
GraphView: A large-scale graph visualization system.
IEEE Transactions on Visualization and Computer
Graphics 12, 5 (Sept./Oct. 2006), 669–676.
3. Bascom, W.R. The Forms of Folklore: Prose Narratives.
University of California, Berkeley, 1965.
4. Bilgic, M., Licamele, L., Getoor, L., and Shneiderman,
B. D-Dupe: An interactive tool for entity resolution
in social networks. In Proceedings of the IEEE
Symposium on Visual Analytics Science and
Technology (Baltimore, Oct. 31–Nov. 2). IEEE,
Piscatway, NJ, 2006, 43–50.
5. Bjarnadóttir, K. Um Beygingarlýsingu íslensks
nútímamáls, 2009; http://www.lexis.hi.is/kristinb/
umBIN.html
6. Blei, D.M., Ng, A.Y., and Jordan, M.I. Latent dirichlet
allocation. Journal of Machine Learning Research 3
(Jan. 2003), 993–1022.
7. Carley, K., Columbus, D., Bigrigg, M., and Kunkel,
F. AutoMap User’s Guide 2010. Technical Report.
Institute for Software Research, School of Computer
Science, Carnegie Mellon University, Pittsburgh, PA,
2010.
8. Child, F.J. and Kittredge, G.L. The English and Scottish
Popular Ballads. Houghton Mifflin Company, Boston
and New York, 1882.
9. Choe, I.-h. A type index of Korean folktales. Myong Ji
University Publishing, Seoul, 1979.
10. Christiansen, R.T. The Migratory Legends.
Suomalainen Tiedeakatemia, Helsinki, 1992.
11. Deerwester, S., Dumais, S.T., Furnas, G.W., Landauer,
T.K., and Harshman, R. Indexing by latent semantic
analysis. Journal of the American Society for
Information Science 41, 6 (Sept. 1990), 391–407.
12. Dundes, A. From etic to emic units in the structural
study of folktales. Journal of American Folklore 75,
296 (Apr.–June 1962), 95–105.
13. El-Shamy, H.M. Folk Traditions of the Arab World: A
Guide to Motif Classification. Indiana University Press,
Bloomington, IN, 1995.
14. Elson, D.K. and McKeown, K.R. A tool for deep
semantic encoding of narrative texts. In Proceedings
of the ACL-IJCNLP 2009 Software Demonstrations
Joint Conference of the 47th Annual Meeting of the
Association for Computational Linguistics and Fourth
International Joint Conference on Natural Language
Processing of the AFNLP (Suntec, Singapore, Aug.
3). Association for Computational Linguistics,
Stroudsburg, PA, 2009, 9–12.
15. Eskeröd, A. Årets äring. Etnologiska studier i skördens
och julens tro och sed. Nordiska Museets handlingar
26. Håkan Ohlssons boktryckeri, Lund, Sweden, 1947.
16. Finlayson, M.A. Deriving narrative morphologies via
analogical story merging. In New Frontiers in Analogy
Research: Proceedings of the Second International
Conference on Analogy, D. Gentner, K. Holyoak, and
B. Kokinov, Eds. (Sofia, Bulgaria, July 24–27). New
Bulgarian University Press, Sofia, 2009, 127–136.
17. Finlayson, M.A. Collecting semantics in the wild:
The Story Workbench. In Proceedings of the AAAI
Fall Symposium on Naturally Inspired Artificial
Intelligence (Arlington, VA, Nov. 7–9). AAAI Press,
Menlo Park, CA, 2008, 46–53.
18. Fogaras, D. and Rácz, B. Scaling link-based similarity
search. In Proceedings of the 14th International
Conference on the World Wide Web (Chiba, Japan, May
10–14). ACM Press, New York, 2005, 641–650.
19. Gasperin, C., Gamallo, P., Agustini, A., Lopes, G., and
Lima, V.D. Using syntactic contexts for measuring
word similarity. In Proceedings of the ESSLLI
Workshop on Semantic Knowledge Acquisition and
Categorisation (Helsinki, Aug. 13–17). ESSLLI,
Helsinki, 2001, 18–23.
20. Hofmann, T., Schölkopf, B., and Smola, A.J. Kernel
methods in machine learning. Annals of Statistics 36,
3 (June 2008), 1171–1220.
21. Jiang, X. and Tan, A.-H. Mining ontological knowledge
from domain-specific text documents. In Proceedings
of the Fifth IEEE International Conference on Data
Mining (Houston, Nov. 27–30). IEEE Computer Society,
Los Alamitos, CA, 2005, 665–668.
22. Krohn, K. Die Folkloristische Arbeitsmethode. H.
Aschehoug & Co., Oslo, 1926.
23. Le Cam, L.M. and Yang, G.L. Asymptotics in Statistics:
Some Basic Concepts. Springer-Verlag, New York,
24. McCallum, A.K. MALLET: A Machine Learning for
Language Toolkit. University of Massachusetts,
Amherst, 2002; http://mallet.cs.umass.edu
25. Moretti, F. Conjectures on world literature. New Left
Review 1 (Jan.–Feb. 2000), 54–66.
26. Paneva, D., Rangochev, K., and Luchev, D. Ontological
model of the Knowledge in Folklore Digital Library. In
Proceedings of the Fifth HUBUSKA Open Workshop
on Knowledge Technologies and Applications, T.
Urbanova, I. Simonics, and R. Pavlov, Eds. (Kosice,
Slovakia, May 31-June 1). HUBUSKA, Kosice, Slovakia,
2007, 47–55.
27. Pedersen, B.S., Nimb, S., and Trap-Jensen, L. DanNet:
Udvikling og anvendelse af det Danske WordNet.
Nordiske Studier i leksikografi 9 (2008), 353–370.
28. Propp, V.I.A. Morfologija Skazki. Academia, Leningrad,
1928.
29. Sanfilippo, A., Tratz, S., Gregory, M., Chappell, A.,
Whitney, P., Posse, C., Paulson, P., Baddeley, B.,
Hohimer, R., and White, A. Ontological annotation with
WordNet. In SemAnnot 2005: Proceedings of the Fifth
International Workshop on Knowledge Markup and
Semantic Annotation, S. Handschuh, T. Declerck, and
M.-R. Koivun, Eds. (Galway, Ireland, Nov. 7). Ceur-WS,
Aachen, Germany, 2005, 27–36.
30. Schölkopf, B. and Smola, A.J. Learning with Kernels:
Support Vector Machines, Regularization, Optimization,
and Beyond. MIT Press, Cambridge, MA, 2002.
31. Siikala, A.-L. Interpreting Oral Narrative. Suomalainen
Tiedeakatemia, Helsinki, 1990.
32. Tang Kristensen, E. Danske sagn, som de har lydt
i folkemunde, udelukkende efter utrykte kilder. Ny
Række. Woels Forlag, Copenhagen, 1928–1939.
33. Tang Kristensen, E. Danske sagn, som de har lydt i
folkemunde, udelukkende efter utrykte kilder. Aarhus
Folkeblads Bogtrykkeri, Aarhus, 1892–1901.
34. Tangherlini, T.R. Legendary performances: Folklore,
repertoire and mapping. Ethnologia Europaea 40, 2
(2010), 103–115.
35. Tangherlini, T.R. Interpreting Legend: Danish
Storytellers and Their Repertoires. Garland Publishing,
New York, 1994.
36. Thompson, S. Motif-Index of Folk-literature. A
Classification of Narrative Elements in Folktales,
Ballads, Myths, Fables, Mediaeval Romances, Exempla,
Fabliaux, Jest-Books, and Local Legends. Indiana
University Press, Bloomington, 1955–1958.
37. Uther, H.-J. The Types of International Folktales: A
Classification and Bibliography Based on the System
of Antti Aarne and Stith Thompson. Suomalainen
Tiedeakatemia Helsinki, 2004.
James Abello ([email protected]) is research
professor in the Center for Discrete Mathematics and
Theoretical Computer Science of Rutgers University,
Piscataway, NJ.
Peter M. Broadwell ([email protected])
is a Council on Library and Information Resources
postdoctoral fellow in the Digital Initiatives Department
of the Charles E. Young Research Library at the University
of California, Los Angeles.
Timothy R. Tangherlini ([email protected]) is
a professor of folklore in the Scandinavian Section and
the Department of Asian Languages and Cultures at the
University of California, Los Angeles and a fellow of the
American Folklore Society.
© 2012 ACM 0001-0782/12/07 $15.00
 doi:10.1145/ 2209249 . 2 2 0 9 2 6 8

The reductionism behind today’s software-

engineering methods breaks down in the face
of systems complexity.
by Ian Sommerville, Dave Cliff, Radu Calinescu,
Justin Keen, Tim Kelly, Marta Kwiatkowska,
John McDermid, and Richard Paige

Large-Scale
Complex
IT Systems
On the afternoon of May 6, 2010, the U.S. equity
markets experienced an extraordinary upheaval. Over
approximately 10 minutes, the Dow Jones Industrial
Average dropped more than 600 points, representing
the disappearance of approximately $800 billion of
market value. The share price of several blue-chip

multinational companies fluctuated curred, it reversed, so over the next few

dramatically; shares that had been at
tens of dollars plummeted to a penny
in some cases and rocketed to values
over $100,000 per share in others. As
suddenly as this market downturn oc-
key insights
 C oalitions of systems, in which the system
elements are managed and owned
independently, pose challenging new
problems for systems engineering.
W
 hen the fundamental basis of
engineering—reductionism—breaks
down, incremental improvements to
current engineering techniques are
unable to address the challenges of
developing, integrating, and deploying
large-scale complex IT systems.
 D eveloping complex systems requires
a socio-technical perspective involving
human, organizational, social, and
political factors, as well as technical
factors.
minutes most of the loss was recovered
and share prices returned to levels
close to what they had been before the
crash.
This event came to be known as the
“Flash Crash,” and, in the inquiry re-
port published six months later,7 the
trigger event was identified as a single
block sale of $4.1 billion of futures con-
tracts executed with uncommon ur-
gency on behalf of a fund-management
company. That sale began a complex
pattern of interactions between the
high-frequency algorithmic trading
systems (algos) that buy and sell blocks
of financial instruments on incredibly
short timescales.
A software bug did not cause the
Flash Crash; rather, the interactions of
independently managed software sys-
tems created conditions unforeseen

ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n i c at ion s o f t he acm 71
contributed articles
(probably unforeseeable) by the own-
ers and developers of the trading sys-
tems. Within seconds, the result was a
failure in the broader socio-technical
markets that increasingly rely on the
algos (see the sidebar “Socio-Techni-
cal Systems”).
Society depends on complex IT sys-
tems created by integrating and or-
chestrating independently managed
systems. The incredible increase in
scale and complexity in them over the
past decade means new software-engi-
neering techniques are needed to help
us cope with their inherent complexity.
Here, we explain the principal reasons
today’s software-engineering meth-
ods and tools do not scale, proposing
a research and education agenda to
help address the inherent problems
of large-scale complex IT systems, or
LSCITS, engineering.
Coalitions of Systems
The key characteristic of these systems
is that they are assembled from other
systems that are independently con-
trolled and managed. While there is
increasing awareness in the software-
engineering community of related is-
sues,10 the most relevant background
work comes from systems engineering.
Systems engineering focuses on devel-
oping systems as a whole, as defined by
the International Council for Systems
Engineering (http://www.incose.org/):
“Systems engineering integrates all the
disciplines and specialty groups into
a team effort forming a structured de-
velopment process that proceeds from
concept to production to operation.
Systems engineering considers both
the business and the technical needs
of all customers with the goal of pro-
viding a quality product that meets the
user needs.”
Systems engineering emerged to
take a systemwide perspective on com-
plex engineered systems involving
structures and electrical and mechani-
cal systems. Almost all systems today
are software-intensive, and systems
engineers address the challenge of
constructing ultra-large-scale software
systems.17 The most relevant aspects of
systems engineering is work on “sys-
tem of systems,” or SoS,12 about which
Maier said the distinction between
SoS and complex monolithic systems
is that SoS elements are operationally
72 c omm unic atio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7
and managerially independent. Char-
acterizing SoS, he covered a range of
systems, from directed (developed for
a particular purpose) to virtual (lack-
Developers cannot ing a central management authority or
centrally agreed purpose). LSCITS is a
analyze inherent type of SoS in which the elements are
owned and managed by different orga-
complexity nizations. In this classification, the col-
during system lection of systems that led to the Flash
Crash (an LSCITS) would be called a
development, “virtual system of systems.” However,
as it depends since Maier’s article was published in
1998, the word “virtual” has generally
on the system’s taken on a different meaning—virtual
dynamic operating machines; consequently, we propose
an alternative term that we find more
environment. descriptive—“coalition of systems.”
The systems in a coalition of systems
work together, sometimes reluctantly,
as doing so is in their mutual interest.
Coalitions of systems are not explicitly
designed but come into existence as
different member systems interact ac-
cording to agreed-upon protocols. Like
political coalitions, there might even
be hostility between various members,
and members enter and leave accord-
ing to their interpretation of their own
best interests.
The interacting algos that led to the
Flash Crash represent an example of a
coalition of systems, serving the pur-
poses of their owners and cooperating
only because they have to. The owners
of the individual systems were compet-
ing finance companies that were often
mutually hostile. Each system jealous-
ly guarded its own information and
could change without consulting any
other system.
Dynamic coalitions of software-
intensive systems are a challenge for
software engineering. Designing de-
pendability into the coalition is not
possible, as there is no overall design
authority, nor is it possible to central-
ly control the behavior of individual
systems. The systems in the coalition
can change unpredictably or be com-
pletely replaced, and the organiza-
tions running them might themselves
cease to exist. Coalition “design” in-
volves the protocols for communica-
tions, and each organization using
the coalition orchestrates the constit-
uent systems its own way. However,
the designers and managers of each
individual system must consider how
to make it robust enough to ensure

their organizations are not threat-
ened by failure or undesirable behav-
ior elsewhere in the coalition.
System Complexity
Complexity stems from the number
and type of relationships between the
system’s components and between the
system and its environment. If a rela-
tively small number of relationships
exist between system components and
they change relatively slowly over time,
then engineers can develop determin-
istic models of the system and make
predictions concerning its properties.
However, when the elements in a
system involve many dynamic relation-
ships, complexity is inevitable. Com-
plex systems are nondeterministic,
and system characteristics cannot be
predicted by analyzing the system’s
constituents. Such characteristics
emerge when the whole system is put
to use and changes over time, depend-
ing how it is used and on the state of its
external environment.
Dynamic relationships include
those between system elements and
the system’s environment that change.
For example, a trust relationship is a
dynamic relationship; initially, com-
ponent A might not trust component
B, so, following some interchange,
A checks that B has performed as ex-
pected. Over time, these checks may
be reduced in scope as A’s trust in B
increases. However, some failure in B
may profoundly influence that trust,
and, after the failure, even more strin-
gent checks might be introduced.
Complexity stemming from the
dynamic relationships between ele-
ments in a system depends on the ex-
istence and nature of these relation-
ships. Engineers cannot analyze this
inherent complexity during system
development, as it depends on the
system’s dynamic operating environ-
ment. Coalitions of systems in which
elements are large software systems
are always inherently complex. The
relationships between the elements of
the coalition change because they are
not independent of how the systems
are used or of the nature of their op-
erating environments. Consequently,
the nonfunctional (often even the
functional) behavior of coalitions of
systems is emergent and impossible to
predict completely.
contributed articles
Socio-Technical Systems
Engineers are concerned primarily with building technical systems from hardware
and software components and assume system requirements reflect the organizational
needs for integration with other systems, compliance, and business processes.
Yet systems in use are not simply technical systems but “socio-technical systems.”
To reflect the fact they involve evolving and interacting communities that include
technical, human, and organizational elements, they are sometimes also called “socio-
technical ecosystems,” though the term socio-technical systems is more common.
Socio-technical systems include people and processes, as well as technological
systems. The process definitions outline how the system designers intend the system
should be used, but, in practice, users interpret and adapt them in unpredictable ways,
depending on their education, experience, and culture. Individual and group behavior
also depend on organizational rules and regulations, as well as organizational culture,
or “the way things are done around here.”
Defining technical software-intensive systems intended to support an
organization’s work in isolation is an oversimplification that hinders software
engineering. So-called system requirements represent the interface between the
technical system and the wider socio-technical system, yet requirements are inevitably
incomplete, incorrect, and/or out of date. Coalitions of systems cannot operate on this
basis. Rather, engineers must recognize that by taking advantage of the abilities and
inventiveness of people, the systems will be more effective and resilient.
Even when the relationships be- and 1980s, modern software is much
tween system elements are simpler, larger, more complex, more reliable,
relatively static, and, in principle, un- and often developed more quickly.
derstandable, there may be so many Software products deliver astonishing
elements and relationships that un- functionality at relatively low cost.
derstanding them is practically impos- Software engineering has focused
sible. Such complexity is called “epis- on reducing and managing epistemic
temic complexity” due to our lack of complexity, so, where inherent com-
knowledge of the system rather than plexity is relatively limited and a single
some inherent system characteris- organization controls all system ele-
tics.16 For example, it may be possible ments, software engineering is highly
in principle to deduce the traceability effective. However, for coalitions of
relationships between requirements systems with a high degree of inherent
and design, but, if appropriate tools complexity, today’s software engineer-
are not available, doing so may be prac- ing techniques are inadequate.
tically impossible. This is reflected in the failure that is
If you do not know enough about all too common in large government-
a system’s components and their re- funded projects. The software may be
lationships, you cannot make predic- delivered late, be more expensive to
tions about overall behavior, even if the develop than anticipated, and inad-
system lacks dynamic relationships equate for the needs of its users. An
between its elements. Epistemic com- example of such a project was the at-
plexity increases with system size; as tempt, from 2000 to 2010, to automate
ever-larger systems are built, they are U.K. health records; the project was ul-
inevitably more difficult to understand timately abandoned at a cost estimated
and their behavior and properties at $5 billion–$10 billion.19
more difficult to predict. This distinc- The fundamental reason today’s
tion between inherent and epistemic software engineering cannot effec-
complexity is important. As discussed tively manage inherent complexity is
in the following section, it is the prima- that its basis is in developing individ-
ry reason new approaches to software ual programs rather than in interact-
engineering are needed. ing systems. The consequence is that
software-engineering methods are
Reductionism and unsuitable for building LSCITS. To ap-
Software Engineering preciate why, we need to examine the
In some respects, software engineering essential divide-and-conquer reduc-
has been incredibly successful. Com- tionist assumption that is the basis of
pared to the systems built in the 1970s all modern engineering.
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 73
contributed articles
Reductionism is a philosophical
position that a complex system is no
more than the sum of its parts, and
that an account of the overall system
can be reduced to accounts of individ-
ual constituents. From an engineering
perspective, this means systems engi-
neers must be able to design a system
so it is composed of discrete smaller
parts and interfaces allowing the parts
to work together. A systems engineer
then builds the system elements and
integrates them to create the desired
overall system.
Researchers generally adopt this
reductionist assumption, and their
work concerns finding better ways to
decompose problems or systems (such
as software architecture), better ways
to create the parts of the system (such
as object-oriented techniques), or bet-
ter ways to do system integration (such
as test-first development). Underlying
all software-engineering methods and
techniques (see Figure 1) are three re-
ductionist assumptions:
System owners control system devel-
opment. A reductionist perspective
takes the view that an ultimate control-
ler has the authority to take decisions
about a system and is therefore able
to enforce decisions on, say, how com-
ponents interact. However, when sys-
tems consist of independently owned
and managed elements, there is no
such owner or controller and no cen-
tral authority to take or enforce design
decisions;
Decisions are rational, driven by tech-
Figure 1. Reductionist assumptions vs. LSCITS reality.
Reductionist assumptions
Owners of
a system control
its development
Control
No single owner
or controller
Large-scale complex IT systems reality
74 comm unicatio ns o f the ac m | j u ly 201 2 | vol . 5 5 | no. 7
nical criteria. Decision making in orga-
nizations is profoundly influenced by
political considerations, with actors
striving to maintain or improve their
current positions to avoid losing face.
Technical considerations are rarely the
most significant factor in large-system
decision making; and
The problem is definable, and sys-
tem boundaries are clear. The nature
of “wicked problems”15 is that the
“problem” is constantly changing, de-
pending on the perceptions and status
of stakeholders. As stakeholder posi-
tions change, the boundaries are like-
wise redefined.
However, for coalitions of systems,
these assumptions never hold true,
and many software project “failures,”
where software is delivered late and/
or over budget, are a consequence of
adherence to the reductionist view. To
help address inherent complexity, soft-
ware engineering must look toward
the systems, people, and organizations
that make up a software system’s envi-
ronment. We need to represent, ana-
lyze, model, and simulate potential op-
erational environments for coalitions
of systems to help us understand and
manage, so far as possible, the com-
plex relationships in the coalition.
Challenges
Since 2006, initiatives in the U.S.
and in Europe have sought to ad-
dress engineering large coalitions of
systems. In the U.S., a report by the
influential Software Engineering In-
Decisions made Definable problem
rationally, driven by and clear system
technical criteria boundaries
Rationality Problem definition
Wicked problem and
Decisions driven by constantly renegotiated
political motives system boundaries
stitute at Carnegie Mellon University
(http://www.sei.cmu.edu/) on ultra-
large-scale systems (ULSS)13 triggered
research leading to creation of the
Center for Ultra-Large Scale Software-
Intensive Systems, or ULSSIS (http://
ulssis.cs.virginia.edu/ULSSIS), a re-
search consortium involving the Uni-
versity of Virginia, Michigan State
University, Vanderbilt University,
and the University of California, San
Diego. In the U.K., the comparable
LSCITS Initiative addresses problems
of inherent and epistemic complexity
in LSCITS, while Hillary Sillitto, a se-
nior systems architect at Thales Land
& Joint Systems U.K., has proposed
ULSS design principles.17
Northrop et al.13 made the point
that developing ultra-large-scale sys-
tems needs to go beyond incremental
improvements to current methods,
identifying seven important research
areas: human interaction, computa-
tional emergence, design, computa-
tional engineering, adaptive system
infrastructure, adaptable and predict-
able system quality and policy, and ac-
quisition and management. The SEI
ULSS report suggested it is essential to
deploy expertise from a range of disci-
plines to address these challenges.
We agree the research required is
interdisciplinary and that incremental
improvement in existing techniques is
unable to address the long-term soft-
ware-engineering challenges of ultra-
large-scale systems engineering. How-
ever, a weakness of the SEI report was
its failure to set out a roadmap outlin-
ing how large-scale systems engineer-
ing can get from where it is today to the
research it proposed.
Software engineers worldwide cre-
ating large complex software systems
require more immediate, perhaps
more incremental, research, driven by
the practical problems of complex IT
systems engineering. The pragmatic
proposals we outline here begin to ad-
dress some of them, aiming for medi-
um-term, as well as a longer-term, im-
pact on LSCITS engineering.
The research topics we propose
here might be viewed as part of the
roadmap that could lead us from cur-
rent practice to LSCITS engineering.
We see them as a bridge between the
short- and medium-term imperative to
improve our ability to create coalitions
 contributed articles

of systems and the longer-term vision
set out in the SEI ULSS report.
Developing coalitions of systems in-
volves engineering individual systems
to work in the orchestration, as well as
configuration, of a coalition to meet
organizational needs. Based on the
ideas in the SEI ULSS report and on our
The nonfunctional
(and, often, the
a failure for some users may have no ef-
fect on others. Because some failures
are ambiguous, automated systems
cannot cope on their own. Human op-
erators must use information from the
system, intervening to enable it to re-
cover from failure. This means under-

own experience in the U.K. LSCITS Ini-
tiative, we have identified 10 questions
that can help define a research agenda
for future LSCITS software engineering:
How can interactions between inde-
pendent systems be modeled and simu-
lated? To help understand and manage
coalitions of systems LSCITS engineers
need dynamic models that are updated
in real time with information from
the system itself. These models are
needed to help make what-if assess-
ments of the consequences of system-
change options. This requires new
performance- and failure-modeling
techniques where the models adapt au-
tomatically due to system-monitoring
data. We do not suggest simulations
can be complete or predict all possible
problems. However, other engineering
disciplines (such as civil and aeronau-
tical engineering) have benefited enor-
mously from simulation, and compa-
rable benefits could be achieved for
software engineering.
How can coalitions of systems be mon-
itored? And what are the warning signs
problems produce? In the run-up to the
Flash Crash, no warning signs indicat-
ed the market was tending toward an
unstable state. To help avoid transition
to an unstable system state, systems
engineers need to know the indicators
that provide information about the
state of the coalition of systems, how
they may be used to provide both early
warnings of system problems, and, if
necessary, switch to safe-mode operat-
ing conditions that prevent the possi-
bility of damage.
How can systems be designed to re-
cover from failure? A fundamental prin-
ciple of software engineering is that
systems should be built so they do not
fail, leading to development of meth-
ods and tools based on fault avoidance,
fault detection, and fault tolerance.
However, as coalitions of systems are
constructed with independently man-
aged elements and negotiated require-
ments, avoiding failure is increasingly
impractical. Indeed, what seems to be
functional) behavior
standing the socio-technical processes
of failure recovery, the support the
of coalitions operators need, and how to design co-
alition members to be “good citizens”
of systems is able to support failure recovery.
emergent and How can socio-technical factors be
integrated into systems and software-
impossible to engineering methods? Software- and
predict completely. systems-engineering methods support
development of technical systems and
generally consider human, social, and
organizational issues to be outside
the system’s boundary. However, such
nontechnical factors significantly af-
fect development, integration, and
operation of coalitions of systems.
Though a considerable body of work
covers socio-technical systems, it has
not been industrialized or made acces-
sible to practitioners. Baxter and Som-
merville2 surveyed this work and pro-
posed a route to industrial-scale use
of socio-technical methods. However,
much more research and experience is
required before socio-technical analy-
ses are used routinely for complex sys-
tems engineering.
To what extent can coalitions of sys-
tems be self-managing? Needed is re-
search into self-management so sys-
tems are able to detect changes in both
their operation and operational envi-
ronment and dynamically reconfigure
themselves to cope with the changes.
The danger is that reconfiguration will
create further complexity, so a key re-
quirement is for the techniques to op-
erate in a safe, predictable, auditable
way ensuring self-management does
not conflict with “design for recovery.”
How can organizations manage com-
plex, dynamically changing system con-
figurations? Coalitions of systems will
be constructed through orchestration
and configuration, and desired system
configurations will change dynami-
cally in response to load, indicators
of system health, unavailability of
components, and system-health warn-
ings. Ways are needed to support con-
struction by configuration, managing
configuration changes and recording
changes, including automated chang-

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i cat ion s o f t he acm 75

contributed articles
es from the self-management system,
in real time, so an audit trail includes
the configuration of the coalition at
any point in time.
How should the agile engineering of
coalitions of systems be supported? The
business environment changes quickly
in response to economic circumstanc-
es, competition, and business reorga-
nization. Likewise, coalitions of sys-
tems must be able to change quickly to
reflect current business needs. A model
of system change that relies on lengthy
processes of requirements analysis and
approval does not work. Agile methods
of programming have been success-
ful for small- to medium-size systems
where the dominant activity is systems
development. For large complex sys-
tems, development processes are often
dominated by coordination activities
involving multiple stakeholders and
engineers who are not colocated. How
can agile approaches be effective for
“systems development in the large” to
support multi-organization global sys-
tems development?
How should coalitions of systems
be regulated and certified? Many such
coalitions represent critical systems,
failure of which could threaten individ-
uals, organizations, and national econ-
omies. They may have to be certified by
regulators checking that, as far as pos-
sible, they do not pose a threat to their
operators or to the wider systems en-
vironment. But certification is expen-
Figure 2. Outline structure for master’s course in LSCITS.
Systems
Ultra-large-scale
systems
Complexity
Mathematical
modeling
Socio-technical
systems
Options from computer science, engineering, psychology, business
Industrial project
76 comm unicatio ns o f th e ac m | j u ly 201 2 | vo l. 5 5 | no. 7
sive. For some safety-critical systems,
the cost of certification can exceed the
cost of development, and certification
costs will increase as systems become
larger and more complex. Though cer-
tification as practiced today is almost
certainly impossible for coalitions of
systems, research is urgently needed
into incremental and evolutionary cer-
tification so our ability to deploy criti-
cal complex systems is not curtailed by
certification requirements. This issue
is social, as well as technical, as societ-
ies decide what level of certification is
socially and legally acceptable.
How can systems undergo “probabilis-
tic verification”? Today’s techniques of
system testing and more formal analy-
sis are based on the assumption that a
system involves a definitive specifica-
tion and that behavior deviating from
it is recognized. Coalitions of systems
have no such specification nor is sys-
tem behavior guaranteed to be deter-
ministic. The key verification issue will
not be whether the system is correct
but the probability that it satisfies es-
sential properties (such as safety) that
take into account its probabilistic, real-
time, nondeterministic behavior.8,11
How should shared knowledge in a
coalition of systems be represented? We
assume the systems in a coalition in-
teract through service interfaces so
the system has no overarching con-
troller. Information is encoded in a
standards-based representation. The
Engineering Business
Systems Organizational
engineering change
Systems Legal and
procurement regulatory issues
Systems Technology
integration innovation
Systems Program
resilience management
key problem will not be compatibility
but understanding what the informa-
tion exchange really means. This is ad-
dressed today on a system-by-system
basis through negotiation between
system owners to clarify the meaning
of shared information. However, if
dynamic coalitions are allowed, with
systems entering and leaving the coali-
tion, negotiation is not practical. The
key is developing a means of sharing
the meaning of information, perhaps
through ontologies like those pro-
posed by Antoniou and van Harmelen1
involving the semantic Web.
A major problem researchers must
address is lack of knowledge of what
happens in real systems. High-profile
failures (such as the Flash Crash) lead
to inquiries, but more is needed about
the practical difficulties faced by de-
velopers and operators of coalitions
of systems and how to address them
as they arise. New ideas, tools, and
methods must be supported by long-
term empirical studies of the systems
and their development processes to
provide a solid information base for re-
search and innovation.
The U.K. LSCITS Initiative5 address-
es some of them, working with partners
from the computer, financial services,
and health-care industries to develop
an understanding of the fundamental
systems engineering problems they
face. Key to this work is a long-term en-
gagement with the National Health In-
formation Center to create coalitions
of systems to provide external access to
and analysis of vast amounts of health
and patient data.
The project is developing practical
techniques of socio-technical systems
engineering2 and exploring design for
failure.18 It has so far developed prac-
tical, predictable techniques for au-
tonomic system management3,4 and
is investigating the scaling up of agile
methods14 and exploring incremental
system certification9 and development
of techniques for system simulation
and modeling.
Education. To address the practical
issues of creating, managing, and op-
erating LSCITS, engineers need knowl-
edge and understanding of the systems
and with techniques outside a “nor-
mal” software- or systems-engineering
education. In the U.K., the LSCITS Ini-
tiative provides a new kind of doctoral

degree, comparable in standard to a
Ph.D. in computer science or engi-
neering. Students get an engineering
doctorate, or EngD, in LSCITS,20 with
the following key differences between
EngD and Ph.D.:
Industrial problems. Students must
work on and spend significant time
on an industrial problem. Universities
cannot simply replicate the complex-
ity of modern software-intensive sys-
tems, with few faculty members hav-
ing experience and understanding of
the systems;
Range of courses. Students must take
a range of courses focusing on com-
plexity and systems engineering (such
as for LSCITS, socio-technical systems,
high-integrity systems engineering,
empirical methods, and technology in-
novation); and
Portfolio of work. Students do not
have to deliver a conventional thesis, a
book on a single topic, but can deliver
a portfolio of work around their select-
ed area; it is a better reflection of work
in industry and makes it easier for the
topic to evolve as systems change and
new research emerges.
However, graduating a few advanced
doctoral students is not enough. Uni-
versities and industry must also create
master’s courses that educate com-
plex-systems engineers for the coming
decades; our thoughts on what might
be covered are outlined in Figure 2.
The courses must be multidisciplinary,
combining engineering and business
disciplines. It is not only the knowl-
edge the disciplines bring that is im-
portant but also that students be sen-
sitized to the perspectives of a variety
of disciplines and so move beyond the
silo of single-discipline thinking.
Conclusion
Since the emergence of widespread
networking in the 1990s, all societies
have grown increasingly dependent on
complex software-intensive systems,
with failure having profound social
and economic consequences. Indus-
trial organizations and government
agencies alike build these systems
without understanding how to analyze
their behavior and without appropriate
engineering principles to support their
construction.
The SEI ULSS report14 argued that
current engineering methods are inad-
equate, saying: “For 40 years, we have
embraced the traditional engineering
perspective. The basic premise under-
lying the research agenda presented in
this document is that beyond certain
complexity thresholds, a traditional
centralized engineering perspective is
no longer adequate nor can it be the
primary means by which ultra-complex
systems are made real.” A key contri-
bution of our work in LSCITS is articu-
lating the fundamental reasons this
assertion is true. By examining how en-
gineering has a basis in the philosophi-
cal notion of reductionism and how
reductionism breaks down in the face
of complexity, it is inevitable that tradi-
tional software-engineering methods
will fail when used to develop LSCITS.
Current software engineering is simply
not good enough. We need to think dif-
ferently to address the urgent need for
new engineering approaches to help
construct large-scale complex coali-
tions of systems we can trust.
Acknowledgments
We would like to thank our colleagues
Gordon Baxter and John Rooksby of St.
Andrews University in Scotland and
Hillary Sillitto of Thales Land & Joint
Systems U.K. for their constructive
comments on drafts of this article. The
work report here was partially funded
by the U.K. Engineering and Physical
Science Research Council (www.epsrc.
ac.uk) grant EP/F001096/1. gov.uk/resource-library/review-department-health-
References
1. Antoniou, G. and van Harmelen, F. A Semantic Web
Primer, Second Edition. MIT Press, Cambridge, MA,
2008.
2. Baxter, G. and Sommerville, I. Socio-technical systems:
From design methods to systems engineering.
Interacting with Computers 23, 1 (Jan. 2011), 4–17.
3. Calinescu, R., Grunske, L., Kwiatkowska, M., Mirandola,
R., and Tamburrelli, G. Dynamic QoS management
and optimisation in service-based systems. IEEE
Transactions on Software Engineering 37, 3 (Mar.
2011), 387–409.
4. Calinescu, R. and Kwiatkowska, M. Using quantitative
analysis to implement autonomic IT systems. In
Proceedings of the 31st International Conference
on Software Engineering (Vancouver, May). IEEE
Computer Society Press, Los Alamitos, CA, 2009,
100–110.
5. Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska,
M., McDermid, J., Paige, R., and Sommerville, I. The
U.K. Large-Scale Complex IT Systems Initiative 2010;
http://lscits.cs.bris.ac.uk/docs/lscits_overview_2010.
pdf
6. Cliff, D. and Northrop, L. The Global Financial Markets:
An Ultra-Large-Scale Systems Perspective. Briefing
paper for the U.K. Government Office for Science
Foresight Project on the Future of Computer Trading
in the Financial Markets, 2011; http://www.bis.gov.
uk/assets/bispartners/foresight/docs/computer-
trading/11-1223-dr4-global-financial-markets-
systems-perspective.pdf
7. Commodity Futures Trading Commission and
Securities and Exchange Commission (U.S.). Findings
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
Regarding the Market Events of May 6th, 2010. Report
of the CFTC and SEC to the Joint Advisory Committee
on Emerging Regulatory Issues, 2010; http://www.
sec.gov/news/studies/2010/marketevents-report.pdf
8. Ge, X., Paige, R.F., and McDermid, J.A. Analyzing
system failure behaviors with PRISM. In Proceedings
of the Fourth IEEE International Conference
on Secure Software Integration and Reliability
Improvement Companion (Singapore, June). IEEE
Computer Society Press, Los Alamitos, CA, 2010,
130–136.
9. Ge, X., Paige, R.F., and McDermid, J.A. An iterative
approach for development of safety-critical software
and safety arguments. In Proceedings of Agile 2010
(Orlando, FL, Aug.). IEEE Computer Society Press, Los
Alamitos, CA, 2010, 35–43.
10. Goth, G. Ultralarge systems: Redefining software
engineering. IEEE Software 25, 3 (May 2008), 91–94.
11. Kwiatkowska, M., Norman, G., and Parker D. PRISM:
Probabilistic model checking for performance and
reliability analysis. ACM SIGMETRICS Performance
Evaluation Review 36, 4 (Oct. 2009), 40–45.
12. Maier, M.W. Architecting principles for system of
systems. Systems Engineering 1, 4 (Oct. 1998),
267–284.
13. Northrop, L. et al. Ultra-Large-Scale Systems: The
Software Challenge of the Future. Technical Report.
Carnegie Mellon University Software Engineering
Institute, Pittsburgh, PA, 2006; http://www.sei.cmu.
edu/library/abstracts/books/0978695607.cfm
14. Paige, R.F., Charalambous, R., Ge, X., and Brooke, P.J.
Towards agile development of high-integrity systems.
In Proceedings of the 27th International Conference on
Computer Safety, Reliability, and Security (Newcastle,
U.K., Sept.) Springer-Verlag, Heidelberg, 2008, 30–43.
15. Rittel, H. and Webber, M. Dilemmas in a general theory
of planning. Policy Sciences 4 (Oct. 1973), 155–73.
16. Rushby, J. Software verification and system
assurance. In Proceedings of the Seventh IEEE
International Conference on Software Engineering and
Formal Methods (Hanoi, Nov.). IEEE Computer Society
Press, Los Alamitos, CA, 2009, 1–9.
17. Sillitto, H.T. In Proceedings of the 20th International
Council for Systems Engineering International
Symposium (Chicago, July). Curran & Associates, Inc.,
Red Hook, NY, 2010.
18. Sommerville, I. Designing for Recovery: New
Challenges for Large-scale Complex IT Systems.
Keynote address, Eighth IEEE Conference on
Composition-Based Software Systems (Madrid, Feb.
2008); http://sites.google.com/site/iansommerville/
keynote-talks/DesigningForRecovery.pdf
19. U.K. Cabinet Office. Programme Assessment Review
of the National Programme for IT. Major Projects
Authority, London, 2011; http://www.cabinetoffice.
national-programme-it
20. University of York. The LSCITS Engineering Doctorate
Centre, York, England, 2009; http://www.cs.york.ac.uk/
EngD/
Ian Sommerville ([email protected])
is a professor in the School of Computer Science, St.
Andrews University, Scotland.
Dave Cliff ([email protected]) is a professor in the
Department of Computer Science, Bristol University,
England.
Radu Calinescu ([email protected]) is a lecturer in
the Department of Computer Science, Aston University,
England.
Justin Keen ([email protected]) is a professor in the
School of Health Informatics, Leeds University, England.
Tim Kelly ([email protected]) is a senior lecturer
in the Department of Computer Science, York University,
England.
Marta Kwiatkowska ([email protected].
uk) is a professor in the Department of Computer Science,
Oxford University England.
John McDermid ([email protected]) is a professor in
the Department of Computer Science, York University,
England.
Richard Paige ([email protected]) is a professor in
the Department of Computer Science, York University,
England.
© 2012 ACM 0001-0782/12/07 $15.00
77
contributed articles
doi:10.1145/ 2209249.2209269
Cache coherence has come to domi-
On-chip hardware coherence can scale nate the market for technical, as well as
for legacy, reasons. Technically, hard-
gracefully as the number of cores increases. ware cache coherence provides per-
formance generally superior to what is
By Milo M.K. Martin, Mark D. Hill, and Daniel J. Sorin achievable with software-implemented
coherence. Cache coherence’s legacy

Why On-Chip
advantage is that it provides backward
compatibility for a long history of soft-
ware, including operating systems,
written for cache-coherent shared-

Cache
memory systems.
Although coherence delivers value
in today’s multicore systems, the con-
ventional wisdom is that on-chip cache

Coherence Is
coherence will not scale to the large
number of cores expected to be found
on future processor chips.5,10,13 Coher-
ence’s alleged lack of scalability aris-

Here to Stay
es from claims of unscalable storage
and interconnection network traffic
and concerns over latency and energy.
Such claims lead to the conclusion that
cores in future multicore chips will not
employ coherence but instead commu-
nicate with software-managed coher-
ence, explicitly managed scratchpad
memories, and/or message passing
(without shared memory).
S ha red memor y i s the dominant low-level Here, we seek to refute this con-
ventional wisdom by presenting one
communication paradigm in today’s mainstream way to scale on-chip cache coherence
multicore processors. In a shared-memory system, in which coherence overheads—traf-
fic, storage, latency, and energy—grow
the (processor) cores communicate via loads and slowly with core count and are similar
stores to a shared address space. The cores use caches to the overheads deemed acceptable in
to reduce the average memory latency and memory today’s systems. To do this, we syner-
gistically combine known techniques,
traffic. Caches are thus beneficial, but private caches including shared caches augmented
lead to the possibility of cache incoherence. The
mainstream solution is to provide shared memory key insights
and prevent incoherence through a hardware cache  T he approach taken here scales on-chip
hardware cache coherence to many
coherence protocol, making caches functionally cores with bounded traffic, storage,
latency, and energy overheads.
invisible to software. The incoherence problem and
 F or the same reason system designers
basic hardware coherence solution are outlined in will not abandon compatibility for
the sidebar, “The Problem of Incoherence,” page 86. the sake of eliminating minor costs,
they likewise will not abandon cache
Cache-coherent shared memory is provided by coherence.

mainstream servers, desktops, laptops, and mobile  C ontinued coherence support lets
programmers concentrate on what
devices and is available from all major vendors, matters for parallel speedups: finding
work to do in parallel with no undo
including AMD, ARM, IBM, Intel, and Oracle (Sun). communication and synchronization.

78 com municatio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7

 to track cached copies, explicit cache
eviction notifications, and hierarchi-
cal design. Using amortized analysis,
we show that interconnection network
traffic per miss need not grow with
core count and that coherence uses at
most 20% more traffic per miss than a
system with caches but not coherence.
Using hierarchical design, we show
that storage overhead can be made
Illustration by Dave Bollinger
to grow as the root of core count and
stay small (such as 2% of total cache
size for even 512 cores). We find neg-
ligible energy and latency overheads
for cache misses to data that is not
actively shared; our analysis suggests
the relative miss penalty and energy
overheads of accessing shared data do
not increase appreciably with increas-
ing core count. Consequently, on-chip
coherence is here to stay. Computer
systems tend not to abandon compat-
ibility to eliminate small costs (such as
those found for scaling coherence). In
particular, system designers will not
likely replace conventional operat-
ing systems now that they have been
shown to scale using cache coher-
ence.2,3 Boyd-Wickizer et al.2 concur,
writing “There is no scalability reason
to give up on traditional operating sys-
tem organizations just yet.”
Some architects and software devel-
opers might object to retaining coher-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i c at ion s o f t he ac m
ence because many applications do
not scale well with coherence. True,
but is the root cause the algorithm,
program implementation, or coher-
ence? If, for example, an algorithm
requires frequent updates to be com-
municated to many readers, coher-
ence and most alternatives do poorly.
At least with hardware coherence,
programmers can concentrate on cho-
reographing independent work rather
than on low-level mechanics.
Our claim for the continued viabil-
ity of on-chip cache coherence does
not imply other communication para-
digms will disappear. There will still be
applications for which message pass-
79
contributed articles
ing is appropriate (such as to scale-out
high-performance computing) or for
which incoherent scratchpad memo-
ries are appropriate (such as real-time
systems), and so those communication
paradigms will persist. However, they
are likely to continue to coexist with
on-chip cache-coherent shared memo-
ry for the foreseeable future.
Cache Coherence Today
Before investigating the issues in-
volved in coherence’s future, we first
describe today’s cache coherence
protocols. Rather than survey coher-
ence protocol design, we focus on
one concrete coherence protocol
loosely based on the on-chip cache
coherence protocol used by Intel’s
Core i7,17 which represents the state
of the art and can scale to a moder-
ate number of cores (such as 16). In
such a system, the cores on the chip
communicate via loads and stores to
the shared memory. Each core has its
own private cache hierarchy (referred
to hereafter as “private cache”). There
is a single shared last-level cache (re-
ferred to hereafter as “shared cache”).
Such shared caches typically employ
address-interleaved banking with one
bank per core, thus proportionally
scaling the bandwidth of the shared
cache as the number of cores increas-
es; this system model is outlined in
the sidebar figure.
To make our analysis simpler and
more concrete, we assume for now that
the shared cache is inclusive with re-
spect to all the private caches. Inclusion
means, at all times, the shared cache
contains a superset of the blocks in the
private caches. Intel’s Core i7 is an ex-
ample of a chip with inclusive caches.
Because inclusion is not a universally
adopted design decision, we discuss
extending our results to non-inclusive
shared caches later.
With inclusion, cache coherence
can be maintained with a coherence
protocol that tracks copies of blocks in
private caches using state embedded
in the shared cache; that is, each block
in the shared cache is augmented with
a few bits of coherence state (such as
to denote if the block is writable by
any core) and per-core tracking bits
that denote which cores are privately
caching the block (one bit per core).
As outlined in the sidebar figure, in-
80 com municatio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7
clusion requires that block A (cached
by core 0) and block B (cached by cores
1 and 2) must be present in the shared
cache with appropriate tracking bits
We anticipate {1000} and {0110}, respectively. If the
block size of the shared cache is larger
alternatives to than the private cache’s block size,
each entry in the shared cache main-
cache-coherent tains coherence state and tracking
shared memory will bits at the granularity of the private
cache block size.
continue to exist When a core issues a load or store
and thrive in certain that misses in its private cache, it is-
sues a coherence request message
domains but that to the shared cache. Based on the
on-chip coherence block’s coherence state and per-core
tracking bits, the shared cache either
will continue responds directly or forwards the re-
to dominate in quest to the one or more cores that
need to respond to the request. For ex-
mainstream ample, if the request is for read/write
access, and one or more cores is pri-
multicore chips. vately caching the block in a read-only
state, then the shared cache forwards
the request to all private caches in the
tracking list, and these private caches
invalidate their copies of the block. If
no cores are caching the block, then
a request has the negligible overhead
of looking up only the coherence state
bits in the shared cache. This protocol
is essentially a directory-based cache
coherence protocol in which the di-
rectory entries are co-located with the
tags of the shared cache. Inclusion
ensures that each private block has a
corresponding shared block to hold its
coherence tracking bits.
To maintain inclusion, when the
shared cache evicts a block for which
some per-core tracking bits are set,
the shared cache first issues a recall
request (also known as a back-invalida-
tion or notification) to any core current-
ly caching that block as determined
by the per-core tracking state. Upon
receipt of a recall message, the private
cache is forced to evict the block.
This approach to coherence has
many attractive features, helping ex-
plain why current Intel systems re-
semble it. This protocol avoids the
need for a snooping bus and avoids
broadcasting; communication in-
volves only point-to-point messages.
Because the protocol embeds the
per-core tracking bits in the shared
cache, it avoids adding additional
structures dedicated solely to coher-
ence. For small-scale systems (such

as four cores to 16 cores), the stor-
age cost is negligible; a 16-core sys-
tem adds just 16b for each 64B cache
block in the shared cache, or approxi-
mately 3% more bits. For a miss to a
block not cached by other private
caches, the miss latency and energy
consumed incur the negligible over-
head of checking a couple of state bits
in the shared cache rather than just a
single valid bit. As we show later, even
when blocks are shared, the traffic per
miss is limited and independent of
the number of cores. Overall, this ap-
proach is reasonably low cost in terms
of traffic, storage, latency, and energy,
and its design complexity is tractable.
Nevertheless, the question for archi-
tects is: Does this system model scale
to future manycore chips?
Scalability
Some prognosticators forecast that
the era of cache coherence is nearing
its end5,10,13 due primarily to an alleged
lack of scalability. However, when we
examined state-of-the-art coherence
mechanisms, we found them to be
more scalable than we expected.
We view a coherent system as “scal-
able” when the cost of providing co-
herence grows (at most) slowly as core
count increases. We focus exclusively
on the cache-coherence aspects of
multicore scaling, whereas a fully scal-
able system (coherent or otherwise)
also requires scalability from other
hardware (such as memory and on-
chip interconnection network) and
software (operating system and appli-
cations) components.
Here, we examine five potential con-
cerns when scaling on-chip coherence:
˲˲ Traffic on the on-chip interconnec-
tion network;
˲˲ Storage cost for tracking sharers;
˲˲ Inefficiencies caused by maintain-
ing inclusion (as inclusion is assumed
by our base system);
˲˲ Latency of cache misses; and
˲˲ Energy overheads.
The following five sections ad-
dress these concerns in sequence
and present our analysis, indicating
that existing design approaches can
be employed such that none of these
concerns would present a fundamen-
tal barrier to scaling coherence. We
then discuss extending the analysis
to noninclusive caches and address
some caveats and potential criticisms
of this work.
Concern 1: Traffic
Here we tackle the concerns regarding
the scalability of coherence traffic on
the on-chip interconnection network.
To perform a traffic analysis, we con-
sider for each cache miss how many
bytes must be transferred to obtain and
relinquish the given block. We divide
the analysis into two parts: in the ab-
sence of sharing and with sharing. This
analysis shows that when sharers are
tracked precisely, the traffic per miss
is independent of the number of cores.
Thus, if coherence’s traffic is accept-
able for today’s systems with relatively
few cores, it will continue to be accept-
able as the number of cores scales up.
We conclude with a discussion of how
coherence’s per-miss traffic compares
to that of a system without coherence.
Without sharing. We first analyze
the worst-case traffic in the absence
of sharing. Each miss in a private
cache requires at least two messages:
a request from the private cache to the
shared cache and a response from the
shared cache to provide the data to the
requestor. If the block is written during
the time it is in the cache, the block is
“dirty” and must be written explicitly
back to the shared cache upon eviction.
Even without sharing, the traffic de-
pends on the specific coherence proto-
col implementation. In particular, we
consider protocols that require a pri-
vate cache to send an explicit eviction
notification message to the shared
cache whenever it evicts a block, even
when evicting a clean block. (This de-
cision to require explicit eviction noti-
fications benefits implementation of
inclusive caching, as discussed later
in the section on maintaining inclu-
sion.) We also conservatively assume
that coherence requires the shared
Traffic cost of cache misses.
To calculate traffic, we must assume values for the size of addresses and cache blocks (such as 8B
physical addresses and 64B cache blocks). Request and acknowledgment messages are typically
short (such as 8B) because they contain mainly a block address and a message type field. A data
message is significantly larger because it contains both an entire data block plus a block address
(such as 64B + 8B = 72B).
Clean block
Without coherence (Req+Data) + 0 = 80B/miss
With coherence (Req+Data) + (Evict+Ack) = 96B/miss (Req+Data) + (Data+Ack)= 160B/miss
Per-miss traffic overhead 20%
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
cache to send an acknowledgment
message in response to each eviction
notification. Fortunately, clean evic-
tion messages are small (enough to,
say, hold a 8B address) and can oc-
cur only subsequent to cache misses,
transferring, say, a 64B cache block.
Coherence’s additional traffic per
miss is thus modest and, most im-
portant, independent of the number
of cores. Based on 64B cache blocks,
the table here shows that coherence’s
traffic is 96B/miss for clean blocks
and 160B/miss for dirty blocks.
With sharing. In a coherent sys-
tem, when a core reads a block that is
shared, the coherence protocol might
need to forward the request but to at
most only one core; thus the traffic
for each read miss is independent of
the number of cores. However, when
a core incurs a write miss to a block
that is cached by one or more other
cores, the coherence protocol gener-
ates extra messages to invalidate the
block from the other cores. These in-
validation messages are often used to
argue for the nonscalability of cache
coherence, because when all cores
are sharing a block, a coherent system
must send an invalidation message to
all other cores. However, our analysis
shows that when sharers are tracked
precisely, the overall traffic per miss
of cache coherence is independent of
the number of cores; the storage cost
of precise tracking is addressed later,
in the section on storage.
Consider an access pattern in which
a block is read by all cores and then
written by one core. The writer core is
indeed forced to send an invalidation
message to all cores, and each core
will respond with an acknowledgment
message, or a cost of 2N messages for
N sharers. However, such an expen-
sive write operation can occur only
after a read miss by each of the cores.
Dirty block
(Req+Data) + Data = 152B/miss
5%
81
contributed articles

More generally, for every write that sis, the overall average traffic per miss counts for an access pattern param-
invalidates N caches, the write must is constant; a write miss that causes N eterized by the number of read misses
have been preceded by N read misses. messages can occur at most only once to a block between each write miss to
The traffic cost of a read miss is inde- every Nth miss. the block. A workload consisting of
pendent of the number of cores; a read In support of this general analysis, all write misses (zero read misses per
miss is forwarded to a single core, at Figure 1a shows the traffic (in average write miss; far left of Figure 1a) has
most. Thus, through amortized analy- bytes per miss) over a range of core the highest traffic per miss because
all blocks are dirty. Traffic per miss is
Figure 1. Communication traffic for shared blocks. independent of the number of cores
because the shared cache forwards the
write misses to at most one core, the
most recent writer. With an increasing
number of read misses per write miss
700
(moving to the right in Figure 1a), the
average traffic per miss actually de-
600
creases slightly because fewer writes
500 lead to fewer dirty blocks. More impor-
Bytes per miss

tant, the traffic is independent of the

400 number of cores in the system, because
each write miss that causes N messages
300
is offset by N previous read misses.
200
Traffic overhead of coherence. We
have shown that coherence’s per-miss
100 traffic scales because it is indepen-
dent of the number of cores. We now
0 1,024
256
consider coherence’s traffic overhead
0
1

per miss with respect to a hypothetical

2
3

64
4
5

design with caches but no hardware co-

6

Rea 16
7

dm
8

isse Cores herence (such as when software knows

16

s pe 4
32

r wr
64

precisely when cached data is stale

128

ite m
256

iss 1
512

without extra traffic). We continue to

1,024

measure traffic in terms of bytes of traf-

fic on the interconnection network per
(a) With exact tracking of sharers
cache miss, thus assuming that coher-
ence does not change the number of
cache misses. However, this assump-
tion is potentially compromised by
false sharing and inefficient synchro-
700
nization, which can cause nonscalable
600
increases in the number of cache miss-
es. Both of these phenomena are well-
500 known challenges with well-known
Bytes per miss

techniques for their mitigation; we

400 cannot completely eliminate their im-
pact nor cleanly incorporate them into
300
our intentionally simplistic models.
200 The table lists the traffic per miss
for this system without coherence. We
100 now compare this traffic to the system
with coherence. For a clean block, the
0 1,024
256
system without coherence eliminates
0
1

the need for the eviction notification

2
3

64
4
5

and the acknowledgment of this noti-

6

Rea 16
7

dm
8

isse Cores fication. For a dirty block, the system

16

s pe 4
32

r wr
64

without coherence avoids the acknowl-

128

ite m
256

iss 1
512

edgment of the dirty eviction message.

1,024

The key is that none of these three extra

(b) With inexact tracking of sharers messages contain the data block, and
such “control” messages are signifi-
cantly smaller than “data” messages.

82 comm unicatio ns o f th e ac m | j u ly 201 2 | vo l. 5 5 | no. 7


Coherence’s overhead is small, bound-
ed, and—most important—indepen-
dent of the number of cores. Based on
64B cache blocks, the table shows that
coherence adds a 20% traffic overhead
for clean blocks and a 5% overhead for
dirty blocks.
Conclusion. Coherence’s intercon-
nection network traffic per miss scales
when precisely tracking sharers.
Concern 2: Storage
The scalable per-miss traffic result as-
sumed a precise tracking of sharing
state in the shared cache, requiring N
bits of state for a system with N cores.
This assumption leads to the reason-
able concern that such an increase in
tracking state for systems with more
cores could pose a fundamental bar-
rier to scalability. Here, we show that
the storage cost scales gracefully by
quantifying the storage cost and de-
scribing two approaches for bounding
this cost: the first is the traditional use
of inexact encoding of sharers,1,8 which
we discard in favor of often-overlooked
use of on-chip hierarchy to efficiently
maintain an exact encoding of sharers.
The storage cost at the private caches
is negligible; supporting coherence in
the private caches adds just a few state
bits for each cache block, which is less
than 1% storage overhead and inde-
pendent of the number of cores, so our
analysis focuses on additional storage
in the shared cache.
Conventional approach: Inexact
encoding of sharers. The conventional
approach to limiting storage—inexact
encoding of sharers—can work well
but has poor worst-case behavior. It
represents a conservative superset
of sharers using fewer bits than one
bit per potential sharer and was well-
studied in the early 1990s.1,8 As a con-
crete example, the SGI Origin 200014
used a fixed number of bits per block,
regardless of the number of cores. For
small systems, the Origin used these
bits as a bit-vector that tracks shar-
ers exactly. For larger systems, the
Origin alternated between two uses
of these tracking bits. If there were
only a few sharers, the bits would be
used as a limited number of pointers
(each of which requires log2N bits to
encode) that can exactly track sharers.
If the number of sharers exceeds this
limited number of pointers, the Ori-
Figure 2. Hierarchical system model; additions for coherence are shaded.
Cluster 1
Cluster of K cores
core core core
private private private
cache cache cache
Intra-cluster
interconnection network
Cluster Cache
tracking
state bits tag block data
Inter-cluster interconnection network
tracking
state
gin would use the bits as an inexact,
coarse-vector encoding, in which each
bit represents multiple cores. Though
the storage can be bounded, the traf-
fic of such schemes could suffer due to
unnecessary invalidations.
To quantify the traffic impact of such
inexact encodings, Figure 1b shows the
result of applying the analysis from the
previous section on traffic when using
the Origin’s inexact encoding scheme
to bound the storage at 32b per block
in the shared cache (approximately 6%
overhead for 64B blocks). When the
32b is enough for exact tracking (up
to 32 cores) or when the number of
sharers is smaller than the number of
limited pointers (far left of Figure 1b),
the sharers are encoded exactly, result-
ing in the same traffic-per-miss as the
exact encoding. When the number of
sharers is large (far right of Figure 1b),
the write invalidations must be sent to
all cores (independent of encoding), so
the inexact encoding incurs no traffic
penalty. However, when the number of
cores grows and the number of sharers
is in the middle of the range, the traffic
overheads spike. With 1,024 cores, the
spike reaches almost six times the traf-
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
Cluster K
Cluster of K cores
core core core
private private private
cache cache cache
Intra-cluster
interconnection network
Cluster Cache
tracking
state bits tag block data
bits tag block data
Shared
last-level
cache
fic of the exact encoding cases. Though
conventional wisdom might have pre-
dicted an even larger traffic spike for
1,024 cores, we next describe an alter-
native design that eliminates any such
spike in traffic.
Less conventional approach: On-
chip hierarchy for exact tracking. To
avoid a spike in traffic for some sharing
patterns, an alternative is to overcome
this scalability problem through an
on-chip hierarchy of inclusive caches.
Hierarchy is a natural design meth-
odology for scalable systems. With
many cores, the size of private caches
is limited, and the miss latency from
a private cache to the chipwide shared
cache is likely large. As such, many-
core systems,4,16 GPUs,15 and proposed
manycore architectures12 cluster some
number of cores/threads to share an
intermediate level of cache. For exam-
ple, Sun/Oracle’s T2 systems16 share a
small L1 cache between two pipelines,
each with four threads. NVIDIA’s Fermi
GPU15 clusters 32 execution pipelines
into a “shared multiprocessor.” In
AMD’s Bulldozer architecture,4 each
pair of cores has per-core private L0
caches and shares an L1 cache. Such
83
contributed articles
systems fill the gap between a private
cache and a large, distributed shared
cache, allowing the cluster cache to de-
liver faster access to data shared within
the cluster. An additional benefit is
that coherence requests may be satis-
fied entirely within the cluster (such
as by a sibling node caching the block)
that can be significant if the software is
aware of the hierarchy.
The same techniques described
earlier—inclusion, integrating track-
ing state with caches, recall messages,
and explicit eviction notifications—are
straightforward to apply recursively to
provide coherence across a hierarchi-
cal system. Rather than just embed
tracking state at a single shared cache,
each intermediate shared cache also
tracks sharers—but just for the caches
included by it in the hierarchy. Con-
sider a chip (see Figure 2) in which
each core has its own private cache,
each cluster of cores has a cluster
cache, and the chip has a single shared
last-level cache. Each cluster cache is
shared among the cores in the cluster
and serves the same role for coherence
as the shared cache in nonhierarchi-
cal systems; that is, the cluster cache
tracks which private caches within
the cluster have the block. The shared
last-level cache tracks which cluster
caches are caching the block but not
which specific private cache(s) within
the cluster are caching it. For exam-
ple, a balanced 256-core system might
consist of 16 clusters of 16 cores each
with a 16KB first-level cache, a 512KB
second-level shared cluster cache, and
a 16MB third-level (last-level) cache
shared among all clusters.
Such a hierarchical organization
has some disadvantages—extra com-
plexity and layers of cache lookups—
but also two key benefits for coherence:
First, the hierarchy naturally provides
a simple form of fan-out invalidation
and acknowledgment combining. For
example, consider a block cached by all
cores; when a core issues a write miss
to this block, the cluster cache lacks
write permission for the block, so it for-
wards it to the shared last-level cache.
The shared last-level cache then sends
an invalidation message to each cluster
(not to each core), triggering the clus-
ter cache to perform an analogous in-
validation operation within the cluster.
The cluster then sends a single invali-
84 comm unicatio ns o f the acm | j u ly 201 2 | vol . 5 5 | no. 7
dation acknowledgment independent
of the number of cores in the cluster
that were caching the block. Compared
to a flat protocol, which must send ac-
knowledgments to every requestor,
the total cross-chip traffic is reduced,
and the protocol avoids the bottleneck
of sequentially injecting hundreds or
thousands of invalidation messages
and later sequentially processing the
same number of acknowledgments.
The second benefit is that a hierar-
chical system that enforces inclusion
at each level reduces the storage cost
of coherence. Recall from the previous
section on traffic that using an exact
encoding of sharers allows for scalable
communication for coherence but
that we deferred the seeming problem
of the storage cost of exact encoding.
Now we show that by using hierarchy
we can also make the storage cost scale
gracefully. Consider first a two-level
system (three levels of cache) consist-
ing of K clusters of K cores each (K2 = C
total cores). Each cluster cache is in-
clusive with respect to all private cach-
es within the cluster, and the shared
last-level cache is inclusive with re-
spect to all cluster caches. Each cluster
cache block uses one bit for each of the
K private caches it includes, plus a few
bits of state. Likewise, each shared
last-level cache block consumes a bit
for each of the K cluster caches it in-
cludes, plus a few bits of state. Impor-
tantly, these storage costs grow as a
linear function of K and thus propor-
tional to √—C. Even if C increases great-
ly, √—
C grows more slowly.
This storage cost at the cluster
caches and last-level cache could be re-
duced even further by extending the hi-
erarchy by one level. Consider a system
with K level-2 clusters, each consisting
of K level-1 clusters, with each level-1
cluster consisting of K cores. This sys-
tem has C = K3 cores and a storage cost
proportional to cube root of C.
In Figure 3, we plot coherence’s stor-
age overhead (coherence’s storage as
a fraction of the total cache storage)
in terms of the bits needed to provide
precise tracking of sharers, for conven-
tional flat (nonhierarchical) systems,
2-level systems, and 3-level systems. As
a very large example, a 1,024-core 2-lev-
el system might have 32 clusters of 32
cores, thus 32b per 64B cache block at
each level, which is just 6%. An extreme
4,096-core 3-level system would have 16
clusters, each with 16 subclusters of 16
cores, with storage overhead of only 3%.
Conclusion. Hierarchy combined
with inclusion enables efficient scaling
of the storage cost for exact encoding
of sharers.
Concern 3: Maintaining Inclusion
In the system model covered here,
we initially choose to require that the
shared cache maintain inclusion with
respect to the private caches. Main-
taining an inclusive shared cache
allows efficient tracking of blocks
in private caches by embedding the
tracking information in the tags of the
shared cache, and is why we use this
design point. Inclusion also simpli-
fied our earlier analysis of communi-
cation and storage.
Inclusion requires that if a block is
cached in any private cache, it must also
be cached in the shared cache. When
the shared cache evicts a block with
nonempty tracking bits, it is required
to send a recall message to each private
cache that is caching the block, adding
to system traffic. More insidiously, such
recalls can increase the cache miss rate
by forcing cores to evict hot blocks they
are actively using.11 To ensure scalabil-
ity, we seek a system that makes recall
messages vanishingly rare.
Recalls occur when the shared cache
is forced to evict a block with one or
more sharers. To reduce the number
of recalls, the shared cache always
chooses to evict nonshared blocks over
shared blocks. Because the capacity
of an inclusive shared cache often ex-
ceeds the aggregate capacity of the pri-
vate caches (for example, the ratio is 8
for the four-core Intel Core i7 with 8MB
shared cache and four 256KB second-
level private caches), it is highly likely
that a nonshared block will be available
to evict whenever an eviction occurs.
Unfortunately, the shared cache
sometimes lacks sufficient informa-
tion to differentiate between a block
possibly being cached and certainly
being cached by a core. That is, the
tracking bits in the shared cache are
updated when a block is requested, but
the shared cache in some systems does
not always know when a private cache
has evicted the block. In such systems,
clean blocks (those not written during
their lifetime in the cache) are evicted
 contributed articles

silently from the private caches, intro-
ducing ambiguity at the shared cache
as to what is still being cached and what
has already been evicted. This lack of
information manifests as poor replace-
ment decisions at the shared cache.
To remedy this lack of information,
a system can instead require the pri-
vate caches to send explicit notification
messages whenever a block is evicted,
even when evicting clean blocks. For
example, AMD’s HT-Assist protocol
uses explicit eviction notifications on
clean-exclusive block replacements to
improve sharer state encoding.6 If such
eviction notifications occur on every
cache eviction, the protocol enables
the shared cache to maintain precise
up-to-date tracking of private caches
that hold each block, transforming the
tracking information from conserva-
tive to exact. When an eviction deci-
sion does occur, the shared cache thus
tivity on recall rate, we performed a Figure 4 shows the recall rate, or per-
simulation modeling recalls due to en- centage of misses that cause a recall,
forcing inclusion in such a system. We for shared caches of various sizes (as
pessimistically configured the private a ratio of aggregate per-core capacity)
caches to be fully associative. To factor for several shared cache associativi-
out the effect of any particular bench- ties. When the capacity of the shared
mark, we generated a miss-address cache is less than the aggregate per-
stream to random sets of the shared core capacity (ratio < 1.0), almost every
cache that prior work found accurately request causes a recall, because the
approximates conflict rates.9 We also private caches are constantly contend-
pessimistically assumed no data shar- ing for an unrealistically underprovi-
ing among the cores that would reduce sioned shared cache. As the size of the
the inclusive capacity pressure on the shared cache increases, the recall rate
shared cache. drops quickly. When the capacity ratio
Fortunately, recalls can be made reaches four times, even an eight-way
rare in the expected design space. set-associative shared cache keeps
Figure 3. Storage overhead in shared caches.
Single-Level Two-Level Three-Level
20%
18%
Storage Overhead (percent)

16%
knows which blocks are no longer be-
14%
ing cached and likely have a choice to
evict a nonshared block to avoid a re- 12%
call. However, this precision comes at a 10%
cost in the form of increased traffic for 8%
evictions of clean blocks, the overhead 6%
of which was already included in the
4%
traffic analysis.
Explicit eviction notifications can 2%

potentially eliminate all recalls, but 0%

only if the associativity, or number of 1 2 4 8 16 32 64 128 256 512 1024 2048 4096
places in which a specific block may Cores
be cached, of the shared cache ex-
ceeds the aggregate associativity of
the private caches. With sufficient as-
sociativity, whenever the shared cache Figure 4. Likelihood a shared cache miss triggers a recall.
looks for a nonshared block to evict, if
it has exact sharing information, it is Associativity of Shared Cache
guaranteed to find a nonshared block 1-way 2-way 4-way 8-way
and thus avoid a recall. Without this 100

worst-case associativity, a pathological 90

Percentage of misses causing recalls

cluster of misses could lead to a situa-

80
tion in which all blocks in a set of the
shared cache are truly shared. Unfortu- 70

nately, even with a modest number of 60

cores, the required associativity is pro-
50
hibitive, as reported by Ferdman et al.7
For example, eight cores with eight-way 40
set-associative private caches require a 30
64-way set-associative shared cache,
20
and the required associativity doubles
for each doubling of the number of 10
Expected
cores. 0 Design
Space
Rather than eliminate all recalls, 0 1 2 3 4 5 6 7 8
we focus on a system in which recalls Ratio of aggregate private cache capacity to shared cache capacity
are possible but rare. To estimate the
effect of limited shared cache associa-

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 85
contributed articles
The Problem of Incoherence
Incoherence. To illustrate the problem
of incoherence, consider the multiple
cores and corresponding private
caches in the upper-right of the figure
here. If core 1 writes the block labeled
B by updating its private cache only,
subsequent reads by core 2 would
see the old value indefinitely. This
incoherence can lead to incorrect
behavior; for example, if the block
holds a synchronization variable
for implementing mutual exclusion
using a lock, such incoherent
behavior could allow multiple cores
into a critical section or prevent cores
waiting for the release of the lock
from making forward progress.
The coherence invariant. The
mainstream solution to preventing
System model; additions for coherence are shaded.
Block in private cache
state tag block data
~2 bits ~64 bits ~512 bits
Block in shared cache
tracking
bits state tag block data
~1 bit ~2 bits ~64 bits ~512 bits
per core
State — Meaning
M (Modified) — Read/write permission
S (Shared) — Read-only permission
I (Invalid) — No permissions
the recall rate below 0.1%. For com-
parison, the Intel Core i7 has a 16-way
set-associative cache with eight times
capacity ratio. Based on this analysis,
we conclude that the traffic overhead
of enforcing inclusion is negligible for
systems with explicit eviction notifi-
cations and reasonable shared cache
sizes and associativities.
Conclusion. Chip architects can de-
86 com municatio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
incoherence is a hardware cache-
coherence protocol. Though there
are many possible coherence
protocols, all maintain coherence by
ensuring the single-writer, multiple-
reader invariant; that is, for a given
block at any given moment in time,
there is either:
˲˲ Only a single core with write (and
read) permission to the block (in
state M for modified); or
˲˲ Zero or more cores with read
permission to the block (in state S for
shared).
Enforcing coherence. The figure
here outlines core 0 caching block A
with read/write permission (state M)
and cores 1 and 2 caching block B
with read-only permission (state S).
Core Core
0 1
private cache private cache
A: M, …
B: S, …
Interconnection network
Bank O Bank 1
A: {1000} M …
Shared cache
(banked by block address)
sign a system with an inclusive shared
cache with negligible recall rate, and
thus can efficiently embed the tracking
state in the shared cache.
Concern 4: Latency
In a non-coherent system, a miss in a
private cache sends a request to the
shared cache. As discussed earlier, to
provide sufficient bandwidth, shared
A write to block B by core 1 (which
in our example led to incoherence)
is not allowed to update its read-
only copy of the block. Instead,
core 1 must first obtain write
permission to the block. Obtaining
write permission without violating
the single-writer, multiple-reader
invariant requires invalidating any
copies of the block in other caches
(core 2 in this case, as encoded
by the tracking bits in the shared
cache). Such actions are handled in
hardware by cache-coherence logic
integrated into the cache controllers.
The section on cache coherence
today presents a protocol (and
describes the rest of the diagram); for
more, see Sorin et al.18
Core Core
2 3
private cache private cache
B: S, … B: I
Bank 2 Bank 3
B: {0110} S …
caches are typically interleaved by ad-
dresses with banks physically distrib-
uted across the chip (see the sidebar
figure), so the expected best-case la-
tency of a miss that hits in the shared
cache is the access latency of the cache
bank plus the round-trip traversal of
the on-chip interconnect to reach the
appropriate bank of the shared cache.
Requests that miss in the shared cache

are in turn routed to the next level of
the memory hierarchy (such as off-
chip memory).
In a coherent system with private
caches and a shared cache, four cases
are worth consideration with regard to
miss latency: a hit in the private cache;
a direct miss in which the shared
cache can fully satisfy the request, that
is, to a block not cached in other pri-
vate caches; an indirect miss, in which
the shared cache must contact one or
more other caches; and a miss in the
shared cache, incurring a long-latency
access to off-chip memory. Coherence
adds no latency to perhaps the two
most performance-critical cases: pri-
vate cache hits (the first case) and off-
chip misses (the fourth case). Coher-
ence also adds no appreciable latency
to direct misses because the coher-
ence state bits in the tags of the shared
cache can be extended to unambigu-
ously distinguish between direct and
indirect misses.
However, indirect misses do incur
the extra latency of sending a mes-
sage on the on-chip interconnection
network to the specified private cores.
Such messages are sent in parallel, and
responses are typically sent directly to
the original requester, resulting in a
“three-hop protocol.” Thus, the criti-
cal path latency of direct and indirect
misses can be approximated by the fol-
lowing formulas:
Non-coherent
tnoncoherent = tinterconnect + tcache + tinterconnect
Coherent
tdirect = tinterconnect + tcache + tinterconnect
tindirect = tinterconnect + tcache + tinterconnect + tcache
+ tinterconnect
The indirect miss latency for coher-
ence is from 1.5 to two times larger
than the latency of a non-coherent
miss; the exact ratio depends on the
relative latencies of cache lookup (tcache)
and interconnect traversal (tinterconnect).
This ratio is considered acceptable in
today’s multicore systems, in part be-
cause indirect misses are generally in
the minority for well-tuned software.
The ratio also indicates scalability, as
the ratio is independent of the num-
ber of cores. Even if the absolute inter-
connect latency increases with more
cores, such increases will generally
increase the latency of all misses (even
in a non-coherent system) roughly pro-
portionally, keeping the ratio largely
unchanged. Moreover, if latency is still
deemed too great, for either coherent
or non-coherent systems, these sys-
tems can use prefetching to hide the
latency of anticipated accesses.
Similar reasoning can be applied re-
cursively to calculate the latency ratio
for a system with more layers of hier-
archy. Though the effect of hierarchy
may hurt absolute latency (such as due
to additional layers of lookup), we see
no reason why hierarchy should signifi-
cantly affect the ratio of the latencies of
direct to indirect misses. Furthermore,
the cluster caches introduced by hier-
archy may help mitigate the growing
cross-chip latency by providing a closer
mid-size cache that allows faster shar-
ing within a cluster and reducing the
number of longer-latency accesses to
the chipwide distributed shared last-
level cache. Modeling the full effect of
hierarchy on latency (and traffic) is be-
yond the reach of the simple models we
use here.
Conclusion. Though misses to ac-
tively shared blocks have greater la-
tency than other misses, the latency ra-
tio is tolerated, and the ratio need not
grow as the number of cores increases.
Concern 5: Energy
Though a detailed energy analysis is
perhaps not as straightforward as the
analyses we have reported here, we can
use these analyses to support the con-
clusion that the energy cost of coher-
ence is also not a barrier to scalabil-
ity. Energy overheads generally come
from both doing more work (dynamic/
switching energy) and from additional
transistors (static/leakage energy).
For dynamic energy, the primary
concerns are extra messages and ad-
ditional cache lookups. However, we
have shown that interconnect traffic
and message count per-miss do not
increase with the number of cores, in-
dicating the protocol state transitions
and number of extra cache lookups are
likewise bounded and scalable.
For static energy, the primary con-
cerns are the extra tracking state we
have also shown scales gracefully and
leakage due to any extra logic for pro-
tocol processing. Protocol process-
ing logic is added per core and/or per
cache bank and thus should also add
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
at most a fixed per-core, thus scalable,
leakage energy overhead.
Furthermore, many energy-inten-
sive parts of the system—the cores
themselves, the cache data arrays, off-
chip DRAM, and storage—are largely
unaffected by coherence, so energy
overheads incurred by coherence are
relatively smaller when weighed against
the context of the overall system.
Conclusion. Based on these traffic
and storage scalability analyses, we
find no reason the energy overheads
of coherence must increase with the
number of cores.
Non-Inclusive Shared Caches
So far we have assumed an inclusive
shared cache, like that of Intel’s Core
i7, but this choice is not universal.
Rather than require a private cache
block to be present in the shared cache
(inclusion), a system can forbid it from
being present (exclusion) or allow but
not require it to be present (neither in-
clusion nor exclusion). Not enforcing
inclusion reduces redundant caching
(less important for the Core i7 whose
shared cache size is eight times the
sum of its private cache sizes) but has
implications for coherence.
A non-inclusive system can retain
the coherence benefits of an inclusive
shared cache by morphing it into two
structures: a new noninclusive shared
cache that holds tags and data, but not
tracking state, and is free to be of any
size and associativity; and a “directory”
that holds tags and per-core tracking
state, but not data blocks, and uses
inclusion to operate like a dataless ver-
sion of the previous inclusive shared
cache; this design roughly resembles
some systems from AMD.6
To the first order, the communi-
cation between the directory and its
private caches is the same as with the
original inclusive shared cache, provid-
ed the directory continues to be large
enough to keep recalls rare. Moreover,
designers now have more freedom in
setting the new non-inclusive shared
cache configuration to trade off cost
and memory traffic. Though the direc-
tory-tracking state is the same as with
an inclusive shared cache (total direc-
tory size is proportional to the sum of
private cache sizes), the storage effect
is more significant because the directo-
ry must also include tags (there for free
87
contributed articles
in the original inclusive shared cache),
and the relative overhead becomes
larger if the hardware designer opts for
a smaller shared cache.
To be concrete, let S1 be the sum
of private cache sizes, S2 the shared
cache size, D the directory entry size
relative to the size of a private cache
block and tag, and R, the ratio of the
number of directory entries to the to-
tal number of private cache blocks. R
should be greater than 1 to keep recalls
rare, as discussed earlier in the section
on maintaining inclusion. Directory
storage adds R×S1×D to cache storage
S1+S2 for a relative overhead of (R×D)/
(1+S2/S1). Assume that R=2 and D=64b/
(48b+512b). If S2/S1 is 8, as in Core i7,
then directory storage overhead is only
2.5%. Shrinking S2/S1 to 4, 2, and 1 in-
creases relative overhead to 4.6%, 7.6%,
and 11%, respectively.
The use of hierarchy adds another
level of directory and an L3 cache. With-
out inclusion, the new directory level
must point to an L2 bank if a block is
either in the L2 bank or in its co-locat-
ed directory. For cache size ratio Z = S3/
S2 = S2/S1 = 8, the storage overhead for
reaching 256 cores is 3.1%. Shrinking Z
to 4, 2, or 1 at most doubles the relative
overhead to 6.5%, 13%, or 23%, respec-
tively. Furthermore, such storage over-
heads translate into relatively lower
overheads in terms of overall chip area,
as caches are only part of the chip area.
Overall, we find that directory storage
is still reasonable when the cache size
ratio Z > 1.
Caveats and Criticisms
We have described a coherence proto-
col based on known ideas to show the
costs of on-chip coherence grow slowly
with core count. Our design uses a hier-
archy of inclusive caches with embed-
ded coherence state whose tracking in-
formation is kept precise with explicit
cache-replacement messages. Using
amortized analysis, we have shown that
for every cache miss request and data
response, the interconnection network
traffic per miss is independent of the
number of cores and thus scales. Em-
bedding coherence state in an inclu-
sive cache hierarchy keeps coherence’s
storage costs small; for example, 512
cores can be supported with 5% extra
cache area with two cache levels or 2%
with three levels. Coherence adds neg-
88 communicatio ns o f th e acm | j u ly 201 2 | vo l. 5 5 | no. 7
ligible latency to cache hits, off-chip
accesses, and misses to blocks not ac-
tively shared; miss latency for actively
shared blocks is higher, but the ratio
Forcing software of the latencies for these misses is tol-
erable today and independent of the
to use software- number of cores. Energy overheads of
managed coherence
coherence are correlated with traffic
and storage, so we find no reason for
or explicit message energy overheads to limit the scalabil-
ity of coherence. Extensions to a non-
passing does not inclusive shared cache show larger but
remove complexity manageable storage costs when shared
cache size is larger than the sum of pri-
but rather shifts vate cache size. With coherence’s costs
complexity from shown to scale, we expect on-chip co-
herence is here to stay due to the pro-
hardware to grammability and compatibility ben-
software. efits it delivers.
Nevertheless, this work has limita-
tions and potential criticisms. First, we
did not include detailed architectural
simulations with specific benchmarks
or consider difficult-to-model queuing
effects due to cache and interconnect
contention. Instead, we showed that
coherence’s per-miss traffic is inde-
pendent of the miss pattern and num-
ber of cores. Though less precise than
detailed simulation, our results are
more robust, as they are not limited to
the specific benchmarks studied. Fur-
thermore, we described our protocol
as an existence proof of a scalable co-
herence protocol but do not claim it is
the best. To this more modest end, less
precision is required.
Second, we did not compare our
protocol against multicore chips with-
out caches or without a shared address
space. Though these approaches have
been successful in high-performance
computing, they are not common in
mainstream multicore systems. Given
that coherence’s costs can be kept low
and that some operating systems use
hardware coherence to scale to many
cores,2,3 we find no compelling reason
to abandon coherence. We thus an-
ticipate alternatives to cache-coherent
shared memory will continue to ex-
ist and thrive in certain domains but
that on-chip coherence will continue
to dominate in mainstream multicore
chips. Furthermore, coherent systems
can support legacy algorithms from
these other domains, as any program
that works for scratchpad systems
(such as the Cell processor) or message
passing systems (such as an MPI clus-

ter) maps easily to a shared memory
system with caches.
Third, we are aware of the complexi-
ty challenge posed by coherence and do
not underestimate the importance of
managing complexity but also that the
chip-design industry has a long history
of managing complexity. Many com-
panies have sold many systems with
hardware cache coherence. Designing
and validating the coherence protocols
in them is not easy, but industry con-
tinues to overcome these challenges.
Moreover, the complexity of coherence
protocols does not necessarily scale up
with increasing numbers of cores. Add-
ing more cores to an existing multicore
design has little effect on the conceptu-
al complexity of a coherence protocol,
though it may increase the amount of
time necessary to validate the protocol.
However, even the validation effort
may not pose a scalability problem;
research shows it is possible to de-
sign hierarchical coherence protocols
that can be formally verified with an
amount of effort that is independent
of the number of cores.19 Furthermore,
the complexity of the alternative to
hardware coherence—software imple-
mented coherence—is non-zero. As
when assessing hardware coherence’s
overheads—storage, traffic, latency,
and energy—chip architects must be
careful not to implicitly assume the
alternative to coherence is free. Forc-
ing software to use software-managed
coherence or explicit message passing
does not remove the complexity but
rather shifts the complexity from hard-
ware to software.
Fourth, we assumed a single-chip
(socket) system and did not explicitly
address chip-to-chip coherence in to-
day’s multisocket servers. The same
sort of tagged tracking structures can
be applied to small-scale multisocket
systems,6 essentially adding one more
level to the coherence hierarchy. More-
over, providing coherence across mul-
tisocket systems may become less im-
portant, because single-chip solutions
solve more needs, and “scale out” so-
lutions are required in any case (such
as for data centers), but that is an argu-
ment for another article.
Finally, even if coherence itself
scales, we did not address other is-
sues that might prevent practical
multicore scaling, such as die-area
limitations, scalability of the on-chip
interconnect, and critical problems
of software non-scalability. Despite
advances in scaling operating systems
and applications, many applications
do not (yet) effectively scale to many
cores. This article does not improve
that situation. Nevertheless, we have
shown that on-chip hardware coher-
ence can be made to scale gracefully,
freeing application and system soft-
ware developers from having to re-
implement coherence (such as know-
ing when to flush and refetch data) or
orchestrating explicit communication
via message passing.
Conclusion. On-chip coherence can
be made to scale gracefully, enabling
programmers to concentrate on what
matters for parallel speedups—find-
ing work to do in parallel without undo
communication and synchronization.
Acknowledgments
We thank James Balfour, Colin
Blundell, Derek Hower, Steve Keckler,
Alvy Lebeck, Steve Lumetta, Steve Re-
inhardt, Mike Swift, and David Wood.
This material is based on work sup-
ported by the National Science Foun-
dation (CNS-0720565, CNS-0916725,
CNS-1117280, CCF-0644197, CCF-
0905464, CCF-0811290, and CCF-
1017650); Sandia/Department of Ener-
gy (MSN123960/DOE890426); and the
Semiconductor Research Corporation
(2009-HJ-1881). Any opinions, find-
ings, and conclusions or recommen-
dations expressed here are those of
the authors and do not necessarily re-
flect the views of the National Science
Foundation, Sandia/DOE, or SRC. The
authors have also received research
funding from AMD, Intel, and NVIDIA.
Hill has a significant financial interest
in AMD. coherence: Scalably verifiable cache coherence.
References
1. Agarwal, A., Simoni, R., Horowitz, M., and Hennessy,
J. An evaluation of directory schemes for cache
coherence. In Proceedings of the 15th Annual
International Symposium on Computer Architecture
(Honolulu, May). IEEE Computer Society Press, Los
Alamitos, CA, 1988, 280–298.
2. Boyd-Wickizer, S. Clements, A.T., Mao, Y., Pesterev,
A., Kaashoek, M.F., Morris, R., and Zeldovich, N.
An analysis of Linux scalability to many cores. In
Proceedings of the Ninth USENIX Symposium on
Operating Systems Design and Implementation
(Vancouver, Oct. 4–6). USENIX Association, Berkeley,
CA, 2010, 1–8.
3. Bryant, R. Scaling Linux to the extreme. In
Proceedings of the Linux Symposium (Boston, June
27–July 2, 2004), 133–148.
4. Butler, M., Barnes, L., Sarma, D.D., and Gelinas, B.
Bulldozer: An approach to multithreaded compute
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm
contributed articles
performance. IEEE Micro 31, 2 (Mar./Apr. 2011), 6–15.
5. Choi, B., Komuravelli, R., Sung, H., Smolinski, R.,
Honarmand, N., Adve, S.V., Adve, V.S., Carter, N.P., and
Chou, C.-T. DeNovo: Rethinking the memory hierarchy
for disciplined parallelism. In Proceedings of the 20th
International Conference on Parallel Architectures
and Compilation Techniques (Galveston Island, TX,
Oct. 10–14). IEEE Computer Society, Washington,
D.C., 2011, 155–166.
6. Conway, P., Kalyanasundharam, N., Donley, G., Lepak,
K., and Hughes, B. Cache hierarchy and memory
subsystem of the AMD Opteron processor. IEEE Micro
30, 2 (Mar./Apr. 2010), 16–29.
7. Ferdman, M., Lotfi-Kamran, P., Balet, K., and Falsafi,
B. Cuckoo directory: Efficient and scalable CMP
coherence. In Proceedings of the 17th Symposium
on High-Performance Computer Architecture (San
Antonio, TX, Feb. 12–16). IEEE Computer Society,
Washington, D.C., 2011, 169–180.
8. Hill, M.D., Larus, J.R., Reinhardt, S.K., and Wood, D.A.
Cooperative shared memory: Software and hardware
for scalable multiprocessors. ACM Transactions on
Computer Systems 11, 4 (Nov. 1993), 300–318.
9. Hill, M.D. and Smith, A.J. Evaluating associativity in
CPU caches. IEEE Transactions on Computers 38, 12
(Dec. 1989), 1612–1630.
10. Howard, J. et al. A 48-core IA-32 message-passing
processor with DVFS in 45nm CMOS. In Proceedings
of the International Solid-State Circuits Conference
(San Francisco, Feb. 7–11, 2010), 108–109.
11. Jaleel, A., Borch, E., Bhandaru, M., Steely Jr., S.C., and
Emer, J. Achieving noninclusive cache performance
with inclusive caches: Temporal locality-aware
cache management policies. In Proceedings of the
43rd Annual IEEE/ACM International Symposium on
Microarchitecture (Atlanta, Dec. 4–8). IEEE Computer
Society, Washington, D.C., 2010, 151–162.
12. Kelm, J.H., Johnson, D.R., Johnson, M.R., Crago, N.C.,
Tuohy, W., Mahesri, A., Lumetta, S.S., Frank, M.I.,
and Patel, S.J. Rigel: An architecture and scalable
programming interface for a 1,000-core accelerator.
In Proceedings of the 36th Annual International
Symposium on Computer Architecture (Austin, TX,
June 20–24). ACM Press, New York, 2009, 140–151.
13. Kelm, J.H., Johnson, D.R., Tuohy, W., Lumetta, S.S.,
and Patel, S.J. Cohesion: An adaptive hybrid memory
model for accelerators. IEEE Micro 31, 1 (Jan./Feb.
2011), 42–55.
14. Laudon, J. and Lenoski, D. The SGI Origin: A ccNUMA
highly scalable server. In Proceedings of the 24th
Annual International Symposium on Computer
Architecture (Denver, June 2–4). ACM Press, New
York, 1997, 241–251.
15. Nickolls, J. and Dally, W.J. The GPU computing era.
IEEE Micro 30, 2 (Mar./Apr. 2010), 56–69.
16. Shah, M., Barren, J., Brooks, J., Golla, R., Grohoski,
G., Gura, N., Hetherington, R., Jordan, P., Luttrell, M.,
Olson, C., Sana, B., Sheahan, D., Spracklen, L., and
Wynn, W. UltraSPARC T2: A highly treaded, power-
efficient SPARC SOC. In Proceedings of the IEEE
Asian Solid-State Circuits Conference (Jeju, Korea,
Nov. 12–14, 2007), 22–25.
17. Singhal, R. Inside Intel next-generation Nehalem
microarchitecture. Hot Chips 20 (Stanford, CA, Aug.
24–26, 2008).
18. Sorin, D.J., Hill, M.D., and Wood, D.A. A Primer on
Memory Consistency and Cache Coherence. Morgan &
Claypool Publishers, 2011.
19. Zhang, M., Lebeck, A.R., and Sorin, D.J. Fractal
In Proceedings of the 43rd Annual IEEE/ACM
International Symposium on Microarchitecture
(Atlanta, Dec. 4–8). IEEE Computer Society,
Washington, D.C., 2010, 471–482.
Milo M.K. Martin ([email protected]) is an
associate professor in the Computer and Information
Science Department of the University of Pennsylvania,
Philadelphia, PA.
Mark D. Hill ([email protected]) is a professor in both
the Computer Sciences Department and the Electrical and
Computer Engineering Department of the University of
Wisconsin-Madison.
Daniel J. Sorin ([email protected]) is an associate
professor in the Electrical and Computer Engineering
and Computer Science Departments of Duke University,
Durham, NC.
© 2012 ACM 0001-0782/12/07 $15.00
89
review articles
doi:10.1145/ 2209249.2209270
To illustrate the naturalness of con-
A novel paradigm for programming reactive structing systems by composing be-
haviors, consider how children may be
systems centered on naturally specified taught, step-by-step, to play strategy
modular behavior. games (See Gordon et al.14). For exam-
ple, in teaching the game of Tic-Tac-
By David Harel, Assaf Marron, and Gera Weiss Toe, we first describe rules of the game,
such as:

Behavioral
EnforceTurns: To play, one player
marks a square in a 3 by 3 grid with X,
then the other player marks a square
with O, then X plays again, and so on;
SquareTaken: Once a square is

Programming
marked, it cannot be marked again;
DetectXWin/DetectOWin: When
a player places three of his or her marks
in a horizontal, vertical, or diagonal
line, the player wins;
Spelling out the requirements for a software system Now we may already start playing.
Later, the child may infer, or the teach-
under development is not an easy task, and translating er may suggest, some tactics:
captured requirements into correct operational software AddThirdO: After placing two Os in
can be even harder. Many technologies (languages, a line, the O player should try to mark
the third square (to win the game);
modeling tools, programming paradigms) and PreventThirdX: After the X player
methodologies (agile, test-driven, model-driven) were marks two squares in a line, the O play-
er should try to mark the third square
designed, among other things, to help address these (to foil the attack); and
challenges. One widely accepted practice is to formalize DefaultOMoves: When other tac-
requirements in the form of use cases and scenarios. tics are not applicable, player O should
prefer the center square, then the cor-
Our work extends this approach into using scenarios
for actual programming. Specifically, we propose key insights
scenario-coding techniques and design approaches for 
Behavioral programming is a novel,
constructing reactive systems28 incrementally from their language-independent paradigm for
programming reactive systems, centered
expected behaviors. on natural and incremental specification
of behavior, and implemented in the visual
The work on behavioral programming began formalism of live sequence charts (LSC),
with scenario-based programming, a way to create and in the BPJ Java package.

executable specifications of reactive systems, 

The approach allows coding
applications as multi-modal scenarios,
introduced through the language of live sequence each corresponding to an individual
requirement, specifying what can, must,
charts (LSC) and its Play-Engine implementation.11,21 or may not happen following certain
sequences of events.
The initial purpose was to enable testing and refining

To facilitate full behavioral modularity
specifications and prototypes, and it was later via the independent coding of separate
facets of behavior, all scenarios run
extended toward building actual systems. To this end, simultaneously, and all are consulted at
the underlying behavioral principles have also been every decision point during execution.

implemented in Java via the BPJ package25 and in 

The paradigm is supported by tools
for debugging, execution planning,
additional environments,26,34,42,43 adding a programming learning-based adaptivity, and
model-checking for early detection of
point of view to that of requirement specification. conflicting and incomplete requirements.

90 comm unicatio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7

 ners, and mark an edge square only
when there is no other choice.
Such required behaviors can be cod-
ed in executable software modules using
behavioral programming idioms and
infrastructure, as we will detail. Full be-
Illustration by Leandro C astel ao
havioral implementations of the game
exist in Java25 and Erlang.43 In Harel et
al.20 we show how model-checking tech-
nologies allow discovery of unhandled
scenarios, enabling the user to incre-
mentally develop behaviors for new tac-
tics (and forgotten rules) until a software
system is achieved that plays legally and
assures the computer never loses.
This example already suggests the
following advantages of behavioral
programming. First, we were able to
code the application incrementally in
modules that are aligned with the re-
quirements (game rules and tactics),
as perceived by users and program-
mers. Second, we added new tactics
and rules (and still more can be add-
ed) without changing, or even looking
at, existing code. Third, the resulting
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he ac m
product is modular, in that tactics
and rules can be flexibly added and re-
moved to create versions with different
functionalities, for example, to play at
different expertise levels.
Naturally, composing behaviors
that were programmed without di-
rect consideration of mutual de-
pendencies raises questions about
conflicting requirements, under-
specification, and synchronization.
We deal with these issues by using
composition operators that allow
91
review articles

both adding and forbidding behav- In this article, we present the prin- behavioral programming with the LSC
iors, analysis tools such as model ciples of behavioral programming and language and elaborate on how one
checkers, and architectures for large- illustrate how to program behavioral deals with conflicting behaviors, un-
scale applications. applications in Java. We detail visual derspecification, and a large number
of simultaneous behaviors. We con-
Figure 1. A schematic view of the execution cycle of behavior threads using an enhanced clude with a comparison to other devel-
publish/subscribe protocol.
opment approaches, applications, and
future research.

behavior
Requested Events Basic Behavioral Idioms
thread We propose the term behavioral ap-
plication for software consisting of
behavior Blocking
thread independent components (called
b-threads) that generate a flow of
behavior events via an enhanced publish/sub-
thread
scribe protocol, as follows (see Fig-
behavior ure 1). Each b-thread is a procedure
thread Selected Event that runs in parallel to the other b-
threads. When a b-thread reaches a
point that requires synchronization,
it waits until all other b-threads reach
1. All behavior threads synchronize and place their “bids”:
synchronization points in their own
˲˲ Requesting an event: proposing that the event be considered for triggering, and asking to be
flow. At synchronization points, each
notified when it is triggered;
b-thread specifies three sets of events:
˲˲ Waiting for an event: without proposing its triggering, asking to be notified when the event is
requested events: the thread proposes
triggered;
that these be considered for trigger-
˲˲ Blocking an event: forbidding the triggering of the event, vetoing requests of other behavior
ing, and asks to be notified when any
threads. of them occurs; waited-for events: the
2. An event that is requested and not blocked is selected; thread does not request these, but
asks to be notified when any of them
3. The behavior threads that requested or wait for the selected event are notified;
is triggered; and blocked events: the
4. The notified behavior vthreads progress to their next states, where they place new bids.
thread currently forbids triggering
any of these events.
When all b-threads are at a synchro-
nization point, an event is chosen, that
Figure 2. B-threads for increasing water flow. The first two b-threads request the events is requested by at least one b-thread
addHot and addCold three times, respectively. The third b-thread, Interleave, repeatedly
waits for addHot while blocking addCold and vice versa, forcing alternation of these
and is not blocked by any b-thread.
Figure 2. B-threads for increasing water flow. The selected event is then triggered by
events. Without Interleave, the run would be three addHot followed by three addCold,
due to b-thread priorities. resuming all the b-threads that either
The first two b-threads
requested it or are waiting for it. Each
class AddHotThreeTimes extends BThread { request addHot and of these resumed b-threads then pro-
public void runBThread() { addCold three times, ceeds with its execution, all the way to
for (int i = 1; i <= 3; i++) { respectively. The third
bp.bSync( addHot, none, none ); its next synchronization point, where
b-thread, Interleave,
} repeatedly waits for it again presents new sets of request-
} addHot while blocking ed, waited-for and blocked events. The
} addCold and vice versa, other b-threads remain at their last
forcing alternation of
class AddColdThreeTimes extends BThread { these events. Without
synchronization points, oblivious to
public void runBThread() { Interleave, the run would the triggered event, until an event is
for (int i = 1; i <= 3; i++) { Event log of
be three addHot followed
the coordinated run selected that they have requested or
bp.bSync( addCold, none, none ); by three addCold, due
} are waiting for. When all b-threads are
to b-thread
addHotpriorities.
} addCold again at a synchronization point, the
} addHot event selection process repeats. For a
addCold formal definition of this process see
class Interleave extends BThread addHot
public void runBThread() { addCold
Harel et al.25,26
while (true) { When more than one event is re-
bp.bSync( none, addHot, addCold ); quested and not blocked, the seman-
bp.bSync( none, addCold, addHot );
}
tics of event selection may vary. For ex-
} ample, the selection may be arbitrary
} or random, as in the default (a.k.a. naïve)
semantics of the LSC Play-Engine;21

92 com municatio ns o f the ac m | j u ly 201 2 | vo l . 5 5 | no. 7


choices may depend on some priority
order, as in standard BPJ execution; the
mechanism may use look-ahead sub-
ject to desired properties of the result-
ing event sequence, as in smart play-
out19,29 in LSC; it may vary over time,
based on learning;13 or, as in Kugler et
al.,34 the entire execution may diverge
into multiple concurrent paths.
The programming idioms of re-
quest, wait for, block thus express multi-
modality. Reminiscent of modal verbs
in a natural language (such as shall,
can or mustn’t), they state not only what
must be done (and how) as in standard
programming, but also what may be
done, and, more uniquely to behavior-
al programming, what is forbidden and
therefore must not be done.
Behavioral programming prin-
ciples can be readily implemented
as part of different languages and
programming approaches, with pos-
sible variations of idioms. In addition
to Java with the BPJ package25 (dis-
cussed later in more detail) we have
implemented them in the functional
language Erlang26,43 and Shimony et
al.42 applied them in the PicOS envi-
ronment using C. Implementations
in visual contexts beyond the original
Play-Engine include PlayGo23 and SBT
by Kugler et al.34
In behavioral programming, all
one must do in order to start develop-
ing and experimenting with scenarios
that will later constitute the final sys-
tem, is to determine the common set
of events that are relevant to these sce-
narios. While this still requires con-
templation, it is often easier to answer
the question “what are the events?”
than “which are the objects/functions,
etc.?” By default, events are opaque en-
tities carrying nothing but their name,
but they may be extended with rich
data and functionality.
Programming Behaviors In Java
Our implementation of behavioral pro-
gramming in Java uses the BPJ pack-
age.25 With BPJ, each behavior thread
is an instance of the class BThread.
Events are instances of the class
Event or classes that extend it (mainly
for adding data to events). The logic
of each behavior is coded as a method
supplied by the programmer, which
in turn invokes the method bSync to
synchronize with other behaviors, and
review articles
to specify its requested, waited-for and that controls hot and cold water taps,
blocked events as follows: whose output flows are mixed.
As shown in Figure 2, let AddHot-
bSync(requestedEvents, ThreeTimes be a b-thread that re-
waitedForEvents, quests three times the event of opening
blockedEvents); the hot water-tap some small amount
(addHot), and then stops. The b-thread
By calling bSync the b-thread sus- AddColdThreeTimes performs a sim-
pends itself until all other b-threads ilar action on the cold water tap (with
are at a synchronization point and the event addCold). To increase water
is resumed when an event that it re- flow in both taps more or less at the
quested or waited for is selected, as same time, as may be desired for keep-
described below. ing the temperature stable, we activate
To enforce predictable and repeat- the above b-threads alongside a third
able execution, we require that the one, Interleave, which forces the al-
event selected at each synchronization ternation of their events. Interleave
point be uniquely defined. To this end, repeatedly waits for addHot while
the programmer assigns a unique pri- blocking addCold, followed by waiting
ority to each b-thread, and places the for addCold while blocking addHot.
requested events of each b-thread in an Later, we illustrate a similar program
ordered set. The event selection mech- written in the visual LSC language.
anism in BPJ then uses this ordering to Behavioral execution can be further
choose the first event that is requested analyzed with table-like visuals, as in
and not blocked. Figure 3, which was generated by the
The source code package of BPJ is TraceVis trace-comprehension and
available online at http://www.b-prog. debugging tool.12 Briefly, b-threads
org with examples and video demon- are depicted in columns ordered by
strations. priority, and successive synchroniza-
Example: Water flow control. To il- tion points and associated triggered
lustrate how these constructs can be events appear in rows intersecting
used to allow new behaviors to non- the b-thread columns. Each table cell
intrusively affect existing ones, con- describes a b-thread’s state at a given
sider scenarios that are part of a system synchronization point. The sets of
Figure 3. Visualizing an execution of the water-tap application with TraceVis. Selected
events are marked with a green star; blocked events are marked with a red square; cells
marked R/W/B show requested, waited for, and blocked events.
AddHotThreeTimes AddColdThreeTimes Interleave
Reset Leader Leader Active
R AddHot R AddHot R
W W W AddHot
1 AddHot
B B B AddCold
R AddHot R AddCold R
2 AddCold W W W AddCold
B B B AddHot
R AddHot R AddHot R
3 AddHot W W W AddHot
B B B AddCold
R AddHot R AddCold R
4 AddCold W W W AddCold
B B B AddHot
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t he acm 93
review articles
requested, waited-for, and blocked
events are shown in sub-cells marked
R, W, and B respectively. In each row,
all appearances of the selected event
are marked with a green star, and re-
quested events that are blocked are
marked by red squares, providing in-
sight into the rationale of event selec-
tion and b-thread progression. The cell
containing the request that drove the
event triggering is emphasized with
a bold border, and cells of b-threads
that did not advance are marked by a
dashed border.
Example: Strategies for Tic-Tac-Toe.
Behavioral programming supports in-
cremental development, where new
behaviors may be added non-intru-
sively, that is, with little or no change
to existing code. We demonstrate this
trait with an application for playing
the game of Tic-Tac-Toe, described in
detail in Harel et al.25 As outlined in
the introduction, players X (a human)
and O (the computer) alternately mark
squares on a grid of 3 rows by 3 col-
umns, each attempting to place three
of her marks in a full horizontal, verti-
cal or diagonal line. Each marking of
a square labeled árow, colñ is repre-
sented by a move event, Xárow,colñ or
Oárow,colñ. The events XWin, OWin
and Draw mark possible conclusions
of the game.
A play of the game can be described
as a sequence of events. For example,
the sequence Xá0,0ñ, Oá1,1ñ, Xá2,1ñ,
Oá0,2ñ, Xá2,0ñ, Oá1,0ñ, Xá2,2ñ, XWin,
describes a play in which X wins, and
whose final configuration is depicted
in Figure 4.
Figure 4. The Tic-Tac-Toe gameboard
configuration following the move events
Xá0,0ñ, Oá1,1ñ, Xá2,1ñ, Oá0,2ñ,
Xá2,0ñ, Oá1,0ñ, Xá2,2ñ.
94 com municatio ns o f th e acm | j uly 201 2 | vol . 5 5 | no. 7
We describe the incremental de-
velopment of all the b-thread classes
needed for the rules and tactics in
Harel et al.25 Here, we describe the flow
of some of the b-threads to illustrate
how the natural language descriptions
in the beginning of the article, can be
translated to code which includes calls
to bSync. The b-thread for the game-
rule SquareTaken, for example, first
calls bSync to wait for any X or O event
and then calls bSync again to block
all events in the newly marked square.
As another example, the b-thread De-
faultOMoves uses a Java loop to re-
peatedly request (by calling bSync)
the set of all nine possible O moves
ordered with center first, then corners,
and then edge squares. An example of
a longer scenario is AddThirdO, which
waits for an O event, then waits for an-
other O event in the same line, and
then requests an O event marking the
third square in the line.
To demonstrate incremental devel-
opment, consider how when we learn
that our defense behaviors are insuffi-
cient against a corner-center-corner at-
tack (for example, Xá0,0ñ, Oá1,1ñ, Xá2,2ñ)
for which the only defense is a coun-
terattack, we can add a b-thread as fol-
lows. To foil X’s plan, the new b-thread
waits for this sequence of events (and
equivalent ones), and attacks back
by requesting the move Oá0,1ñ. Later,
we discuss how this development ap-
proach can be enhanced using a mod-
el-checking tool.
B-threads may autonomously watch
out for very specific sequences of events
embedded in larger traces, with expres-
siveness that goes beyond responding
to a single event or to a combination
of conditions, as is common in basic
rule engines. Moreover, in our experi-
ence, a given “world configuration” or
a complete event sequence may be as-
signed different meanings by different
behaviors as they individually work to-
ward different goals. For example, De-
tectXWin and PreventThirdX can
independently observe the same two X
moves in the same line, but while the
former then waits for another X move
toward announcing a win, the latter
proceeds to make an O move in the third
square to prevent a loss. In fact, most of
our Tic-Tac-Toe b-threads do not check
the game configuration; for example, a
b-thread DetectDraw counts any nine
moves and declares the end of the game
with no winner, and PreventThirdX
ignores O moves before requesting its
own desired move.
Focusing on a narrow facet of a be-
havior can simplify the b-thread and
can be accomplished by instantiat-
ing copies of it with different param-
eters. For example, we implemented
SquareTaken with an instance for
each square, and DetectXWin with an
instance for each permutation of three
X events in each line.
The autonomy afforded by a narrow
world view is facilitated also by the fact
that all b-threads that request a given
event at a particular synchronization
point are notified when it occurs, and
are unaware of whether the selected re-
quest was theirs or came from another
b-thread. For example, a single mark-
ing of an O in a particular square could
result from simultaneous requests by
the AddThirdO, PreventThirdX,
and DefaultOMoves b-threads. Us-
ing blocking and priorities, autono-
mous b-threads can “carve out” un-
desired behaviors of other b-threads,
as, say, with coding DefaultOmoves
to repeatedly ask for the same set of
events without checking which one
was triggered, and then adding the b-
thread SquareTaken.
Example: Real-time aircraft stabili-
zation. Given the principles described
so far, one may ask how behavioral pro-
grams deal with external events, such
as physical ones originating in the en-
vironment, or user actions. This sec-
tion briefly introduces elements that
can serve in a layer above the behav-
ioral programming infrastructure for
development of real-time systems. See
Harel et al.26 for more details.
Behavioral applications can de-
tect external events at any time, using
all the features available in the host
language, and can introduce them as
behavioral events in the next synchro-
nization point. For the integration of
behavioral and non-behavioral parts of
an application, we adopt the following
scheme, based on the concept of super-
steps, which is similar to the timing se-
mantics of Statecharts.27
The first super-step begins when
the system starts. Then, internal b-
thread-driven events are triggered
until there are no more such events
to trigger. At this point the behavioral

system halts, all b-threads are inside a
bSync method call, and the system is
waiting for an external event. When an
external event occurs and introduced
as a behavioral one, it marks the begin-
ning of a new super-step, which then
continues until there are no events to
trigger, and so on. We propose a con-
vention, whereby external events are
not introduced as behavioral events as
long as there are other internal events
to trigger. In LSC, this is enforced by
the Play-Engine and PlayGo tools. In
BPJ, the programmer can assign to
a b-thread that introduces external
events a priority lower than that of any
b-thread that may request other (inter-
nal) events at the same time. One may
view the super-step as an ordered se-
quence of events, which ideally takes
“zero time,” as in Berry’s synchrony
hypothesis4 and in Statecharts,27 and
similar to hybrid time sets and logical
execution time (LET) design.31
We now outline parts of the soft-
ware for controlling a quadrotor, an
aircraft lifted and propelled by four
fixed rotors, as detailed in Harel et al.26
One of the challenges in stabilizing a
quadrotor is using a fixed set of con-
trols, namely the rotors’ speed (RPM),
to balance competing goals like de-
sired forces and moments along differ-
ent axes: flight direction, roll (side-to-
side), pitch (raising and lowering the
front), and yaw (rotation of the entire
quadrotor). These goals compete with
each other as changes in any rotor
speed may affect multiple forces. For
example, changing the back rotor’s
RPM affects the thrust, the pitch and
the yaw. Behavioral programming al-
lows decomposing the application into
b-threads, each of which takes care of
only one force. For example, “when
thrust is too low, request the increase
of at least one of the rotors’ RPM and
block the decrease of all rotors’ RPM”
or “when pitch angle is too high, re-
quest the increase of the back rotor’s
RPM or the decrease of the front rotor’s
RPM while blocking the increase of the
back rotor’s RPM and the decrease of
the front rotor’s RPM.” Note that the
event selection mechanism will weave
these two behavior threads, in such
a way that when the thrust is too low
and the pitch is too high, only the back
rotor’s RPM will increase, address-
ing both deviations. To fix deviations
of different sizes, many small RPM-
change events occur before new input
of desired forces is obtained in the next
super-step. The actual b-threads are
more involved than those shown here,
but they maintain their naturalness
and independence. For a fuzzy-logic
based approach to implementing con-
trol with behavioral programming, see
Harel et al.24
Live Sequence Charts
The visual language of live sequence
charts (LSC) introduced scenario-
based programming, and implicitly
also the basic concepts of behavioral
programming; see Damm and Harel.11
One continuation of that work was the
invention of the play-in and play-out
techniques for constructing and exe-
cuting LSCs, which were implemented
in the Play-Engine tool.21 A more re-
cent tool, PlayGo, has been developed,
and is currently being extended and
strengthened.23 The LSC approach
also inspired the SBT tool.34 While the
current status of these tools does not
yet enable broad usage in real-world
applications, the versatility of the LSC
language has been demonstrated in
various application domains, includ-
ing hardware, telecommunication,
production control, tactical simula-
tors, and biological modeling.2,10,41
LSC adds liveness and execution
semantics to behaviors described us-
ing message sequence charts (MSC) by
extending MSC with modalities, sym-
bolic instances, and more. An MSC de-
Figure 5. A universal LSC. Whenever a telephone user presses the sequence of a star,
a digit, and send (see hexagonal prechart), the chip must retrieve the corresponding
number from memory and call it by sending a message to the environment. If a busy
signal is returned, the call must be tried up to three times. The events in the main chart
may occur only in the order specified.
* Keyboard
Click
Click (digit)
Click
ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n ic at ion s o f t he acm
review articles
picts behavior using vertical lifelines
to represent objects and horizontal
arrows for messages passed between
them, with time flowing from top to
bottom. This yields a partial order for
occurrences of the events in a chart.
However, the expressive power of MSC
is limited,11 as these charts describe
possible scenarios and cannot specify,
for example, what is mandated or what
is not allowed. In fact, given a set of
objects and events, a system that gen-
erates all possible sequences of events
would satisfy any MSC.
To address this, in a live sequence
chart one can distinguish what must
happen (called hot in LSC terminol-
ogy, and colored red) from what may
happen (termed cold, and colored
blue), and can also express what is not
allowed to happen (forbidden). More-
over, event specifications that are to be
executed in a proactive manner can be
distinguished from ones that specify
monitoring; that is, merely tracking
the event. LSC also distinguishes be-
tween universal charts, which depict
executions that are to apply to all runs,
and existential charts—which serve as
“examples” and are required to apply
only to at least one run. A universal
LSC consists of a prechart and a main
chart, as in Figure 5. The semantics
is that if and when the behavior de-
scribed by the prechart occurs, the
behavior described by the main chart
must occur too.
Using a designated chart area, one
can forbid occurrence of events at
Send key Chip Memory ENV
Retrieve (digit)
number
3 Call(number)
signal
signal busy
95
review articles
certain times. There are other ways to
forbid things from occurring; one of
which is done by indicating that events
in the main chart must occur only in
the specified (partial) order. For ex-
ample, one can specify that when the
main chart is active, events that appear
in the chart but are not presently en-
abled cannot be triggered at that point
in time by other charts.
A modest view of LSC considers it
to be a requirements and specification
language for making assertions about
sequences of events. In this view, a sys-
tem satisfies an LSC specification if all
its runs satisfy all the universal charts
in the specification, and for each exis-
tential chart, there is at least one run
that satisfies it.
However, the play-out technique fa-
cilitates the execution of an LSC speci-
fication, that is, a collection of charts,
just like any computer program. Play-
out does this by tracking events that
may be selected next in all lifelines
in all charts, selecting and triggering
events subject to the must/may/forbid-
den modalities, and advancing affect-
ed charts accordingly.21 As described
in more detail below, play-out may
be viewed as interpreting charts with
modal events as threads of behavior
with their requested, waited-for, and
blocked events.
A dialect of LSC has been designed
to be compliant with UML 2.0,22 and
can be defined as a profile therein.
Instead of precharts it uses solid and
dashed arrows to indicate whether an
Figure 6. UML-compliant LSCs. Each chart begins with the user pressing the start button. Two charts request tap-turning events, and the
third causes their interleaving by alternately waiting for these events. Events can occur only when enabled for triggering in all charts in
which they appear. The SYNC construct forces order between events in different lifelines.
LSC AddHotThreeTimes
User startButton hotWater
start()
SYNC
addHot()
addHot()
addHot()
96 comm unicatio ns o f th e ac m | j u ly 201 2 | vol . 5 5 | no. 7
event is to be executed or is only moni-
tored, while the red and blue color
retain their respective modalities of
must and may. The PlayGo tool18,23 is
currently based on this version of the
language. Figure 6 depicts a PlayGo
example similar to the water-tap appli-
cation discussed earlier, with the addi-
tion of the user pressing a start button
to activate all scenarios.
Internally, the LSC play-out mecha-
nism uses the request / wait / block
idioms for collective execution, as fol-
lows. Initially, the next enabled event
for each lifeline in each chart is the top-
most event in the lifeline. All enabled
events on all lifelines are considered
waited-for. All enabled events that are
also to be executed (and not just moni-
tored) are considered also as request-
ed. All events that are forbidden, either
explicitly or implicitly, are considered
blocked. An event that is requested and
not blocked is then triggered. When
no event can be triggered, the system
waits for an event from the user or the
environment. When an event is trig-
gered, a rich unification algorithm de-
termines which event specifications in
different charts refer to that event, and
all lifelines in which it is enabled are
advanced to their next state. Whenever
this advancing causes a prechart to be
completed, the main chart portion of
the chart is activated. When a forbid-
den event nevertheless occurs, for ex-
ample, as driven by the environment
or the user, a violation occurs and the
execution terminates.
LSCAddColdThreeTimes
User startButton hotWater
start()
SYNC
addCold()
addCold()
addCold()
This process is often referred to
as naïve play-out. In a more advanced
mechanism, called smart play-out19,29
the Play-Engine uses either model-
checking or AI planning algorithms
to look ahead, in an attempt to select
events in ways that do not eventually
lead to violation of the specification
or deadlock.
In addition to the interpreter-like
approach of play-out, a compiler for
LSC has been developed, which pro-
duces executable code by compiling
the specification into Java and weaving
the results with AspectJ.38
One notable difference between LSC
and the BPJ package is that BPJ benefits
from the power of the Java host lan-
guage. By contrast, the LSC language
provides its own constructs for objects
and properties, flow of control, excep-
tions, variables, symbolic objects and
messages, a notion of time, sub-chart
scope, access to functions in other lan-
guages, and external communication.21
Play-in. An essential element of
programming is the process by which
programmers perform actual coding.
In behavioral programming, it seems
only natural to allow this activity to
include walking through a scenario,
generating events and sequences
thereof, and using them in specifying
what we want done or forbidden. To-
ward that purpose, the LSC language
allows a new way of coding, called
play-in,15,21 which captures scenarios
as follows: whenever possible, the de-
veloper actually performs the event—
LSC Interleave
User startButton hotWater coldWater
start()
SYNC
loop
[–1,–1]
addHot()
SYNC
addCold()

for example, by pressing “send” on a
telephone—and the tool captures the
event and includes it as part of the
gradually generated LSC. The reader
is referred to Harel and Marelly21 and
the Web site http://www.wisdom.weiz-
mann.ac.il/~playbook for more details.
Play-in is similar to programming
by example37 in that both try to make
programming easier for humans us-
ing visualization and physical actions,
and the approaches can certainly gain
from one another. The main differ-
ence is that programming by example
is a way to avoid writing code in small
programs, for educational purposes,
where play-in is intended for use as
part of programming modal scenar-
ios to be executed collectively as a
complex system.
Can It Work In The Real World?
In way of trying to tackle such ques-
tions as “can the approach deal with
conflicts and underspecification?” or
“can one coordinate thousands of si-
multaneous behaviors?” we outline
some relevant research results.
One concern associated with align-
ing application scenarios with require-
ments is that individually valid require-
ments may conflict. Thus, coding them
independently of each other and com-
posing them without consideration
may yield undesired joint behavior.
We first observe that, as described,
our approach suggests resolving con-
flicts using new b-threads and priori-
ties. For example, in Tic-Tac-Toe, the
conflict (which may emerge very early
in development) concerning both
players requesting a move at the same
time, is resolved by a b-thread that
enforces turn alternation. Similarly, a
conflict between a defensive move and
a move that yields an immediate win is
resolved by prioritizing the latter.
Further, we present a methodol-
ogy and a supporting model-check-
ing tool (called BPmc) for verifying
behavioral programs without having
to first translate them into a spe-
cific input language for the model
checker.20 Our method facilitates
early discovery of conflicting or un-
derspecified scenarios. For example,
when model-checking a behavioral
Tic-Tac-Toe application, the coun-
terexample Xá0,0ñ, Oá1,1ñ, Xá0,1ñ,
Oá0,2ñ, Xá2,0ñ, Oá2,2ñ, Xá1,0ñ suggests
Play-in is similar
to programming
by example in that
both try to make
programming easier
for humans using
visualization and
physical actions,
and the approaches
can certainly gain
from one another.
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i c at ion s o f t he ac m
review articles
(as described earlier) that the victory
of X could have been avoided had the
application played Oá1,0ñ in its last
turn, preventing the completion of
three X marks in a line, instead of its
default preference to mark corners.
Note that in coding refinements and
corrections, counterexamples pro-
vided by the tool can be used directly
since they are sequences of events.
See Harel et al.17 for an application of
this property to the automatic local
repair of behavioral programs.
From the model-checking perspec-
tive, the BPmc tool (which currently
applies to our Java implementation of
behavioral programming) reduces the
size of the state-space of a Java pro-
gram using an abstraction that focuses
on the behaviorally interesting states
and treats transitions between them
as atomic. To the existing standard ex-
ecution control, which consists of de-
terministic progression along a single
path in the behavioral program state
graph, we add two model-checking ex-
ecution modes: safety and liveness. The
safety mode explores the different paths
in the graph in search of a state that vio-
lates the given safety property, while
the liveness mode seeks cycles that
violate the given liveness property. The
graph traversal in BPmc is carried
out with established model check-
ing algorithms and uses the Apache
javaflow package to save and restore
continuations—objects that hold the
states of participating threads—for the
required backtracking.
Synthesis techniques have also been
applied to LSC, in order to check for
conflicts and, when possible, to gen-
erate a program that correctly imple-
ments a system complying with the
specification.30,35
Model checking and planning algo-
rithms are used when running LSCs to
help avoid conflicts when these can be
resolved via “smart” event selection us-
ing look-ahead within a super-step.19,29
Future research directions include
applying BPmc to achieve look-ahead
in Java execution too, as well as going
beyond a single super-step in the smart
play-out method in LSC.
As for underspecification and
adaptability, it is well accepted in soft-
ware engineering that a requirements
document is never really complete,16
and that new requirements keep
97
review articles
emerging as developers and users
learn about and experiment with the
developed system.
Similarly to the case of conflicts,
new requirements in behavioral pro-
gramming can often be coded as new
behaviors. For example, while develop-
ing the quadrotor application we real-
ized that rotor speed (RPM) cannot be
negative. We solved this by adding a
b-thread that blocks speed reduction
events when the speed is too low.
Obviously, both model checking and
the look-ahead mentioned here may
help detect and deal with such under-
specification. The problem can also be
handled by making the program learn
and adapt as part of its development.
For example, extending the semantics
of behavioral programming with rein-
forcements allows applications that
also specify, in addition to what should
be done or not done at every step, broad-
er goals.13 Reinforcements are captured
by b-threads, each one contributing a
narrow assessment of the current situ-
ation relative to a longer-term goal. Le-
veraging the unique structure of behav-
ioral programs, an application-agnostic
learning mechanism translates the re-
inforcements into event-selection deci-
sions that improve over time. This abil-
ity to learn and adapt allows removal of
the need for a total order on b-threads
and event requests, thus simplifying
development. For example, a salad-
making robot is specified in Eitan and
Harel,13 with scenarios for picking up
vegetables, and washing, cutting, and
serving them in designated locations.
With the help of reinforcements, the
robot learns to perform these tasks in
the correct order, while overcoming ob-
stacles in the kitchen and dealing with
refueling tasks.
Another concern around behavioral
programming execution is that if one di-
vergent b-thread (a runaway) fails to syn-
chronize, the entire application stops.
The problem is of course aggravated
when many behaviors are involved.
As described in Harel et al.26 and
following the work in Barak et al.,3 we
expect that in large behavioral applica-
tions not all behaviors will be required
to synchronize with each other. In-
stead, we anticipate that synchroniza-
tion requirements will be reduced by
dividing large numbers of naturally
specified behaviors into nodes; each of
98 comm unic atio ns o f the acm | j u ly 201 2 | vo l. 5 5 | no. 7
which is fully synchronized internally,
and where the communication be-
tween nodes is carried out by external
events. The resulting system will still
be incremental, in that new functional-
ity can be implemented by adding sce-
narios to different behavior nodes to
generate and interpret (new) external
events, with little or no modification to
existing ones.
Consider a manager-employee rela-
tion in a corporation. Each of the two
is constantly driven by a multitude of
(personal) behaviors, but without par-
ticipation in each other‘s decisions.
The overhead of a communication pro-
tocol, the delays in reacting to messag-
es while continuing autonomous work,
and indeed, the occasional correctable
misunderstanding, are tolerable, and
are balanced with the efficiency and ef-
ficacy afforded by autonomy.
The assignment of b-threads to
nodes should allow for discovering and
dealing with synchronization issues
in a local manner, using both model
checking and standard development
and testing techniques. The division
into behavior nodes also simplifies pri-
ority assignment, in that one needs to
consider priorities only within a node.
Different behavior nodes may be as-
sociated with different time-scales,
reducing synchronization delays.26
For example, a behavior node for han-
dling a multistop travel itinerary of a
quadrotor may synchronize at a much
slower pace than the one responsible
for stabilizing the aircraft at all times.
This division may help also in the run-
time detection of runaway b-threads,
by using node-specific timers.
The concept of behavior nodes
that communicate only via events also
makes it easier to avoid race condi-
tions. In this context it should be noted
that race conditions are completely
avoided in behavioral programming if
behaviors communicate only through
events, and do not use host language
facilities to share data.26
Related Work and Future Directions
In some languages (for example, work-
flow engines or simulation specifica-
tions) scenarios and behaviors may be
encoded quite directly and visibly. In
others (for example, procedural and ob-
ject oriented programming, functional
programming and logic programming)
different modularization may cause
scenario encodings to be more subtle;
rendering them visible only at run-
time. One of the main contributions
of behavioral programming is the abil-
ity to program multimodal scenarios
incrementally using modules that are
aligned with requirements.16
Relative to object-oriented program-
ming, behavioral modules and events
may involve objects, but they are not
necessarily anchored to a single one.
When programming behaviorally, one
focuses on system behavior, and less
on identifying actors. Often, behavior
threads represent inter-object scenari-
os that are not directly visible when the
software is implemented as methods
of individual objects. The states of such
scenarios often conveniently replace or
complement data in standard objects.
Ideas for using behaviors that are
specified as refinements and con-
straints over other modules are dis-
cussed in the context of superimposi-
tions.7 Behavioral programming offers
practical programming mechanisms
for implementing implicit, indirect
control of one behavior over all other
relevant behaviors, without explicit
references from a controlling or con-
straining module to the controlled,
base module. Additionally, in behavior-
al programming all system behaviors
are treated equally, without the distinc-
tion between base and refinements.
Aspect-oriented programming (AOP)33
focuses on implementing cross-cut-
ting concerns as separate modules
that can modify the behavior of base
application modules. AOP’s relation
to superimposition was pointed out
in Katz and Gil.32 We believe behav-
ioral programming can contribute
toward implementing symmetric as-
pects, complementing the currently
prevalent asymmetric approach that
distinguishes base code from aspects.
In addition, while behavioral program-
ming allows the triggering of behaviors
by sequences of events, in present AOP
implementations, join-points com-
monly represent individual events, and
triggering behaviors following rich se-
quences of events requires non-trivial
state management in the aspect code.
In robotics and hybrid-control there
are behavior-based architectures, in-
cluding Brooks’s subsumption archi-
tecture,9 Branicky’s behavioral program-

ming,8 and leJOS,37 which construct
systems from behaviors (see the review
in Arkin1). Our behavioral programming
approach may serve as a formalism,
implementation, or possible extension,
of some coordination and arbitration
components in these architectures.
The test-driven or behavior-driven
development methodologies (for ex-
ample, JBehave, see http://jbehave.
org) emphasize the importance of ar-
ticulating scenarios of expected over-
all system behavior early in develop-
ment. As the formal description of
scenarios is shown to be valuable, we
propose that with behavioral program-
ming it may be possible to actually use
such specifications as part of the de-
veloped system.
We feel that a key contribution of
behavioral programming to estab-
lished programming paradigms seems
to be the addition of a concise and au-
tonomous way for a process to block, or
veto, events that other processes may
attempt to trigger. In common pub-
lish/subscribe mechanisms, for exam-
ple, such blocking would require ad-
ditional inter-process communication.
In research to be published separately,
we prove that the explicit blocking idi-
om can make behavioral programs ex-
ponentially more succinct (in the num-
ber of states) than traditional publish/
subscribe idioms.
Clearly, behavioral programming
principles can be implemented in other
languages and environments. We view
the approach as an enrichment of, not
an alternative to, current programming
approaches. In particular, constructs
like semaphores/rendezvous, chan-
nels/message queues, and threads/con-
tinuations, can be used to implement
and to complement the synchroniza-
tion and blocking of behavioral pro-
gramming. More specifically, in rich
decentralized applications, behavioral
programming can coexist with actor-
oriented, agent-oriented, and other
concepts that enable coordination of
concurrent processes (see, for example,
the survey in Bordini et al.6).
Illustration by Leandro C astel ao
In this context, the main point
about behavioral programming is its
focus on interweaving independent
behaviors to yield a desired run (a se-
quence of events), and the lesser focus
on issues related to parallel execution
of independent behaviors and the re-
We believe
that behavioral
programming can
contribute toward
implementing
symmetric aspects,
complementing the
currently prevalent
asymmetric
approach that
distinguishes base
code from aspects.
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t he acm
review articles
sulting performance gains. In fact,
some implementations of the behav-
ioral execution mechanism are sin-
gle-threaded. It would be interesting
to explore the synergy of behavioral
programming with such languages,
which could be done, for example, by
introducing blocking and synchro-
nization idioms into non-behavioral
platforms and using established plat-
forms to connect behaviorally pro-
grammed nodes.
The execution semantics of behav-
ioral programming has similarities
to the event-based scheduling of Sys-
temC,39 which performs co-routine
scheduling in three phases, evaluation,
update, and notification, as follows: all
runnable processes are run, one at a
time, up to a synchronization point;
queued updates are recorded; and,
processes affected by these updates are
then made runnable.
The BIP language (behavior, inter-
action, priority) and the concept of glue
for assembling components proposed
by Sifakis and his colleagues (see, for
example, Bliudze and Sifakis5) pursue
goals similar to ours. Though some of
the terminology is similar, the specifics
are different. BIP focuses on creating a
system that is correct-by-construction
with regard to safety properties like
freedom from deadlock, while behav-
ioral programming concentrates on
programming in a natural way, and
turns to other techniques, including
model checking, to discover and re-
solve potential conflicts. A possible
research direction involves adding syn-
chronization and blocking as composi-
tion idioms of BIP.
Finally, behavioral programming
may be suitable for software projects
that call for feature-oriented develop-
ment40 and product-line packaging.
For example, an expert version of a
game-playing program could differ
from the novice version by simply in-
cluding behavior threads for addition-
al strategies. In Harel et al.25 we discuss
behavioral programming in relation
to additional programming languages
and models.
As to application domains, we note
how features of behavioral program-
ming contribute to making it useful for
particular domains, as follows. Coding
inter-object scenarios can be useful,
for example, for orchestrating valves,
99
review articles
pumps, and the like in automation and
process control. The ability to pack dis-
tinct, seemingly unrelated behaviors
into a single operating entity seems
promising in areas like robotics, self-
guided vehicles, and the modeling of
biological systems. The combination
of reactivity and rich scripts can be ap-
plied to information-system manage-
ment including workflow control, event
processing, root-cause analysis, and
automated configuration, among oth-
ers. Finally, the ability to trace events
in the context of their respective sce-
narios, may allow decision-making ap-
plications to explain their behavior and
facilitate ongoing human validation.
Behavioral programming may also
accommodate customization as part
of the development cycle, where end-
users can enhance, change, or remove
functionality of delivered systems (for
example, smartphones), by coding or
downloading new behaviors without
accessing the core product code.
As a general paradigm, behavioral
programming is still in its infancy. It
has been applied to a relatively small
number of projects, and the existing
tools are not yet of commercial power.
More research and development is
needed in expanding implementations
in a variety of programming contexts
and for larger real-world applications.
We should also experiment with the
collaboration of multiple development
groups, and expand the work on formal
verification, synthesis, performance
and scalability, automated learning
and adaptability, the use of natural lan-
guage, and enhanced play-in.
We feel that the natural incremental
development afforded by behavioral
programming could become valuable
for novices and seasoned programmers
alike. We hope the paradigm, with its
current implementations in LSC, Java,
and other platforms, contributes to the
vision of liberating programming,16 and
that this article will encourage debate
about the ideas, as well as further re-
search and development.
Acknowledgments
David Harel thanks Werner Damm and
Rami Marelly for the wonderful col-
laborations of 1998–1999 and 2000–
2003, respectively, without which the
ideas described here would not exist.
We are grateful to Shai Arogeti, Yoram
100 co mm unicatio ns o f t h e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
Atir, Michael Bar-Sinai, Daniel Barkan,
Dan Brownstein, Nir Eitan, Michal
Gordon, Amir Kantor, Hillel Kugler,
Robby Lampert, Shahar Maoz, Yaarit
Natan, Amir Nissim, Yaniv Saar, Avital
Sadot, Itai Segall, Nir Svirsky, Smadar
Szekely, Moshe Vardi, Moshe Wein-
stock, Guy Wiener, and Guy Weiss for
their valuable comments and contri-
butions throughout the development
of this article and the ideas behind it.
Thanks to Shmuel Katz for insights on
positioning behavioral programming
relative to aspect-orientation. We also
thank the anonymous reviewers for
their valuable suggestions.
Harel’s and Marron’s research was
supported in part by the John von Neu-
mann Minerva Center for the Develop-
ment of Reactive Systems at the Weiz-
mann Institute of Science, and by an
Advanced Research Grant to DH from
the European Research Council (ERC)
under the European Community’s
FP7 Programme. Weiss’s research was
supported by the Lynn and William
Frankel Center for Computer Science
at Ben-Gurion University and by a rein-
tegration (IRG) grant under the Euro-
pean Community’s FP7 Programme. 32. Katz, S. and Gil, J.Y. Aspects and superimpositions.
References
1. Arkin, R.C. Behavior-Based Robotics. MIT Press, 1998.
2. Atir, Y. and Harel, D. Using LSCs for scenario authoring
in tactical simulators. In Summer Computer
Simulation Conference. Soc. for Comp. Simulation Int.,
2007.
3. Barak, D., Harel, D. and Marelly, R. Interplay:
Horizontal scale-up and transition to design
in scenario-based programming. Lectures on
Concurrency and Petri Nets, (2004), 66–86.
4. Berry, G. and Cosserat, L. The Esterel synchronous
programming language and its mathematical
semantics. In Seminar on Concurrency, Springer,
1985, 389–448.
5. Bliudze, S. and Sifakis, J. A notion of glue expressiveness
for component-based systems. CONCUR, 2008.
6. Bordini, R.H., Dastani, M. Dix, J. and Seghrouchni,
A.E.F. Multi-Agent Programming: Languages, Tools
and Applications. Springer, 2009.
7. Bouge, L. and Francez, N. A compositional approach to
superimposition. In POPL, 1988.
8. Branicky, M.S. Behavioral programming. In Working
Notes AAAI Spring Symp. on Hybrid Sys. and AI, 1999.
9. Brooks, R. A robust layered control system for a mobile
robot. IEEE J. of Robotics and Automation 2, 1 (1986).
10. Bunker, A., Gopalakrishnan, G. and Slind, K. Live
sequence charts applied to hardware requirements
specification and verification. Int. J. on Software Tools
for Technology Transfer 7, 4 (2005).
11. Damm, W. and Harel, D. LSCs: Breathing Life into
Message Sequence Charts. J. on Formal Methods in
System Design 19, 1 (2001).
12. Eitan, N., Gordon, M., Harel, D., Marron, A. and Weiss,
G. On visualization and comprehension of scenario-
based programs. ICPC, 2011.
13. Eitan, N. and Harel, D. Adaptive behavioral programming.
IEEE Int. Conf. on Tools with Artificial Intelligence, 2011.
14. Gordon, M., Marron, A., and Meerbaum-Salant, O.
Spaghetti for the main course? Observations on
naturalness of scenario-based programming. ITICSE.
To appear July 2012.
15. Harel, D. From play-in scenarios to code: An achievable
dream. IEEE Computer 34, 1 (2001).
16. Harel, D. Can programming be liberated, period? IEEE
Computer 41, 1 (2008).
17. Harel, D., Katz, G., Marron, A. and Weiss, G. Non-
intrusive repair of reactive programs. ICECCS. To
appear July 2012.
18. Harel, D., Kleinbort, A. and Maoz, S. S2A: A compiler for
multi-modal UML sequence diagrams. Fundamental
Approaches to Software Engineering, 2007.
19. Harel, D., Kugler, H., Marelly, R. and Pnueli, A. Smart
play-out of behavioral requirements. FMCAD, 2002.
20. Harel, D., Lampert, R., Marron, A. and Weiss, G. Model-
checking behavioral programs. In EMSOFT, 2011.
21. Harel, D. and Marelly, R. Come, Let’s Play: Scenario-
Based Programming Using LSCs and the Play-Engine.
Springer, 2003.
22. Harel, D. and Maoz, S. Assert and negate revisited:
Modal semantics for UML sequence diagrams.
Software and System Modeling 7, 2 (2008), 237–252.
23. Harel, D., Maoz, A., Szekely, S. and Barkan, D. PlayGo:
Towards a comprehensive tool for scenario based
programming. ASE, 2010.
24. Harel, D., Marron, A., Nissim, A. and Weiss, G.
Combining behavioral programming and fuzziness
for hybrid control systems. In Proc. 2012 IEEE
International Conference on Fuzzy Systems. To appear
June 2012.
25. Harel, D., Marron, A. and Weiss, G. Programming
coordinated scenarios in Java. ECOOP, 2010.
26. Harel, D., Marron, A., Weiss, G. and Wiener, G.
Behavioral programming, decentralized control, and
multiple time scales. AGERE!, 2011.
27. Harel, D. and Naamad, A. The STATEMATE semantics
of statecharts. TOSEM 5, 4 (1996).
28. Harel, D. and Pnueli, A. On the Development of
Reactive Systems, in Logics and Models of Concurrent
Systems. NATO ASI Series, Vol. F-13. 1985.
29. Harel, D. and Segall, I. Planned and traversable play-
out: A flexible method for executing scenario-based
programs. Tools and Algorithms for the Constr. and
Anal. of Systems, 2007.
30. Harel, D. and Segall, I. Synthesis from live sequence
chart specifications. Computer System Sciences, 78:3
(2012), 970-980.
31. Henzinger, T.A., Kirsch, C.M., Sanvido, M.A.A. and
Pree, W. From control models to real-time code using
Giotto. IEEE Control Systems Magazine 23, 1 (2003).
AOP Workshop at ECOOP, 1999.
33. Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C.,
Lopes, C., Loingtier, J.M. and Irwin, J. Aspect-oriented
programming. ECOOP, 1997.
34. Kugler, H., Plock, C. and Roberts, A. Synthesizing
biological theories. In CAV, 2011.
35. Kugler, H. and Segall, I. Compositional synthesis
of reactive systems from live sequence chart
specifications. Tools and Alg. for the Constr. and Anal.
of Systems, 2009.
36. LEJOS. Java for LEGO Mindstorms; http://lejos.
sourceforge.net/.
37. Lieberman, H. Your Wish is My Command: Programming
by Example. Morgan Kaufmann, 2001.
38. Maoz, S. and Harel, D. From multi-modal scenarios to
code: Compiling LSCs into AspectJ. In FSE, 2006.
39. OSCI. Open SystemC Initiative. IEEE 1666 Language
Reference Manual; http://www.systemc.org.
40. Prehofer, C. Feature-oriented programming: A fresh
look at objects. ECOOP, 1997.
41. Sadot, A., Fisher, J., Barak, D. Admanit, Y. Stern, M.J.,
Hubbard, E.J.A and Harel, D. Toward verified biological
models. IEEE/ACM Trans. Comput. Biology Bioinform
5, 2 (2008).
42. Shimony, B., Nikolaidis, I., Gburzynski, P. and Stroulia,
E. On coordination tools in the PicOS tuples system.
SESENA, 2011.
43. Wiener, G., Weiss, G. and Marron, A. Coordinating and
visualizing independent behaviors in Erlang. In 9th ACM
SIGPLAN Erlang Workshop, 2010.
David Harel ([email protected]) is The William
Sussman Professorial Chair in the Department of
Computer Science and Applied Mathematics at
The Weizmann Institute of Science, Rehovot, Israel.
Assaf Marron ([email protected]) is a
researcher at The Weizman Institute of Science, Rehovot,
Israel.
Gera Weiss ([email protected]) is an assistant professor
in the Department of Computer Science at Ben Gurion
University of the Negev, Be’er Sheva, Israel.
© 2012 ACM 0001-0782/12/07 $15.00
THIRD ANNUAL ACM
CONFERENCE ON

SYSTEMS,
PROGRAMMING,
LANGUAGES, TUCSON, ARIZONA
APPLICATIONS:
SOFTWARE FOR
OCTOBER 19-26, 2012
HUMANITY

LOCATION
Loews Ventana Canyon Resort
Tucson, Arizona, USA

EVENTS
• OOPSLA
• Onward!
• Dynamic Languages Symposium,
• Wavefront
• Workshops
• ACM Student Research Competition
• Pattern Languages of Programming
• ...and more!

GENERAL CHAIR
Gary T. Leavens
University of Central Florida
[email protected]

OOPSLA PROGRAM CHAIR

Matthew B. Dwyer
University of Nebraska
[email protected]

ONWARD! PROGRAM CHAIRS

Jonathan Edwards/Julia Steele
MIT/O’Reilly
[email protected] ONW
ARD!
[email protected] OO P S L A

DLS PROGRAM CHAIR

Alessandro Warth
Google
[email protected]

FOR MORE INFORMATION

[email protected]
http://splashcon.org/

SPLASH is sponsored by
ACM SIGPLAN
ACM TechNews Goes Mobile
iPhone & iPad Apps Now Available in the iTunes Store
ACM TechNews—ACM’s popular thrice-weekly news briefing service—is now
available as an easy to use mobile apps downloadable from the Apple iTunes Store.
These new apps allow nearly 100,000 ACM members to keep current with
news, trends, and timely information impacting the global IT and Computing
communities each day.

TechNews mobile app users will enjoy:

• Latest News: Concise summaries of the most
relevant news impacting the computing world
• Original Sources: Links to the full-length
articles published in over 3,000 news sources
• Archive access: Access to the complete
archive of TechNews issues dating back to
the first issue published in December 1999
• Article Sharing: The ability to share news
with friends and colleagues via email, text
messaging, and popular social networking sites
• Touch Screen Navigation: Find news
articles quickly and easily with a
streamlined, fingertip scroll bar
• Search: Simple search the entire TechNews
archive by keyword, author, or title
• Save: One-click saving of latest news or archived
summaries in a personal binder for easy access
• Automatic Updates: By entering and saving
your ACM Web Account login information,
the apps will automatically update with
the latest issues of TechNews published
every Monday, Wednesday, and Friday

The Apps are freely available to download from the Apple iTunes Store, but users must be registered
individual members of ACM with valid Web Accounts to receive regularly updated content.
http://www.apple.com/iphone/apps-for-iphone/  http://www.apple.com/ipad/apps-for-ipad/

ACM TechNews
 research highlights
p. 104 p. 105
Technical
Perspective Looking Back and Looking
For Better or Worse, Forward: Power, Performance,
Benchmarks
Shape a Field and Upheaval
By David Patterson By Hadi Esmaeilzadeh, Ting Cao, Xi Yang,
Stephen M. Blackburn, and Kathryn S. McKinley

p. 115 p. 116
Technical
Perspective Intrinsic Robustness
Why Study of the Price of Anarchy
the Price By Tim Roughgarden
of Anarchy?
By Amos Fiat

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | com m u n i c at ion s o f t h e acm 103

research highlights
Technical Perspective
For Better or Worse,
Benchmarks Shape a Field
By David Patterson
fields, computer archi-
L i k e oth er I T
tects initially reported incomparable
results. We quickly saw the folly of
this approach. We then went through
a sequence of performance metrics,
with each being an improvement on
its predecessor: average instruction
time, millions of instructions per sec-
ond (MIPS), millions of floating point
operations per second (MEGAFLOPS),
synthetic program performance
(DHRYSTONES), and ultimately aver-
age performance improvement rela-
tive to a reference computer based on a
suite of real programs (SPEC CPU).
When a field has good benchmarks,
we settle debates and the field makes
rapid progress. Indeed, the accelera-
tion in computer performance from
25% to 50% per year starting in the mid-
1980s is due in part to our ability to fair-
ly compare competing designs as well
as to Moore’s Law. Similarly, computer
vision made dramatic advances in the
last decade after it embraced bench-
marks to evaluate innovations in vision
algorithms.a
Sadly, when a field has bad bench-
marks, progress can be problematic.
For example, despite being discredited
in textbooks since 1990,b embedded
computing still reports DHRYSTONES
when making performance claims.
How do we know whether a new em-
bedded processor is a genuine break-
through, or simply the result of cynical
benchmarketering, in that it runs the
benchmark quickly but real programs
slowly? The answer is we cannot know
from DHRYSTONE reports.
In the following paper, the authors
point out that while computer architec-
ture has a glorious past, it has become
a D. Martin, C. Fowlkes, D. Tal, and J. Malik, “A
Database of Human Segmented Natural Imag-
es and its Application to Evaluating Segmen-
tation Algorithms and Measuring Ecological
Statistics.” Proc. 8th Int’l Conf. Computer Vision,
(July 2001), 416–423.
b J. Hennessy and D. Patterson, Computer Ar-
chitecture: A Quantitative Approach, 1st Edition,
Morgan Kauffman, 1990.
104 com municatio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7
a victim of its own success. The SPEC
organization has been selecting old
programs written in old languages that
reflect the state of programming in the
1980s. Given the 1,000,000X improve-
ment in cost-performance since C++ was
unveiled in 1979, most programmers
have moved on to more productive lan-
guages. Indeed, a recent survey supports
that claim: only 25% of programs are be-
ing written in languages like C and C++.c
Hence, the authors supplement SPEC’s
C and C++ programs, which manage
storage manually, with Java programs
that manage storage automatically. They
called the former programs native lan-
guages and the latter managed.
Sequential Parallel
(Non-Scalable) (Scalable)
C and C++
(Native)
Java
(Managed)
The paper reflects a second impor-
tant trend. The power limit of what a
chip could dissipate forced micropro-
cessor manufacturer to switch from
a single high-clock rate processor per
chip to multiple processors or cores per
chips. Thus, the authors include both
sequential and parallel benchmarks;
they call the former non-scalable and the
latter scalable. Moreover, the authors
report on power and energy in addition
to performance. In this PostPC Era, bat-
tery life can trump performance in the
client, and the architects of warehouse-
scale computers try to optimize the
costs of powering and cooling 100,000
servers as well as improving cost-perfor-
mance. Just as we learned that measur-
ing time in seconds is a safer measure
of program performance than a rate
like MIPS, we are learning that Joules is
a better measure than a rate like Watts,
which is just Joules/second. The au-
thors report both Watts and Joules in
addition to relative performance.
c R.S. King, “The Top 10 Programming Languages.”
(Oct. 2011); http://spectrum.ieee.org/at-work/tech-
careers/the-top-10-programming-languages/
doi:10.1145/ 2209249.2 2 0 9 2 71
Given this measurement frame-
work, the authors then measured eight
very different Intel microprocessors
built over a seven-year period. The au-
thors evaluate these eight micropro-
cessors using 61 programs, which each
fit into one of the four quadrants in the
matrix here.
This treasure chest of data—record-
ed in large tables in the ACM Digital Li-
brary in addition to this paper—allows
the authors (and the rest of us) to ask
and answer many questions based on
real hardware. This opportunity is a re-
freshing change from research results
based on simulation, which has domi-
nated the literature for the last decade.
Here are four examples of questions
we can now address:
˲˲ Do performance, power, or energy
of the red quadrant programs predict
the results of any of the programs from
the other quadrants? (If not, the archi-
tects must extend their conventional
evaluation methods.)
˲˲ Do the native parallel (yellow) pro-
grams predict the managed parallel
(green) programs? (If not, given the
shift in popularity of programming
languages, then many evaluations of
multiprocessors should be redone.)
˲˲ Is multicore more energy efficient
than multithreading? (If not, then mul-
ticore designs that do not offer multi-
threading may be suspect.)
˲˲ Surely recent in-order execution
processors are more energy efficient
than modern four-instruction-issue,
out-of-order execution processors? (If
not, conventional wisdom on energy
efficient processor design is incorrect.)
Hint: The answers are: No, No, No,
and No.
Readers interested in trying to find
the answer to these and computing’s
other persistent questions just need to
read the following paper.
David Patterson is the Pardee Professor of Computer
Science at the University of California at Berkeley.
© 2012 ACM 0001-0782/12/07 $15.00

Looking Back and Looking
Forward: Power, Performance,
and Upheaval
By Hadi Esmaeilzadeh, Ting Cao, Xi Yang, Stephen M. Blackburn, and Kathryn S. McKinley
Abstract
The past 10 years have delivered two significant revolu-
tions. (1) Microprocessor design has been transformed by
the limits of chip power, wire latency, and Dennard scal-
ing—leading to multicore processors and heterogeneity. (2)
Managed languages and an entirely new software landscape
emerged—revolutionizing how software is deployed, is sold,
and interacts with hardware. Researchers most often exam-
ine these changes in isolation. Architects mostly grapple
with microarchitecture design through the narrow software
context of native sequential SPEC CPU benchmarks, while
language researchers mostly consider microarchitecture in
terms of performance alone. This work explores the clash
of these two revolutions over the past decade by measur-
ing power, performance, energy, and scaling, and considers
what the results may mean for the future. Our diverse find-
ings include the following: (a) native sequential workloads
do not approximate managed workloads or even native
­parallel workloads; (b) diverse application power profiles
suggest that future applications and system software will
need to participate in power optimization and management;
and (c) software and hardware researchers need access to
real measurements to optimize for power and energy.
1. INTRODUCTION
Quantitative performance analysis is the foundation for
computer system design and innovation. In their classic
paper, Emer and Clark noted that “A lack of detailed tim-
ing information impairs efforts to improve performance.”5
They pioneered the quantitative approach by characterizing
instruction mix and cycles per instruction on time-sharing
workloads. They surprised expert reviewers by demonstrating a
gap between the theoretical 1 MIPS peak of the VAX-11/780
and the 0.5 MIPS it delivered on real workloads. Industry and
academic researchers in software and hardware all use and
extend this principled performance analysis methodology.
Our research applies this quantitative approach to measured
power. This work is timely because the past decade heralded
the era of power- and energy-constrained hardware design.a
Furthermore, demand for energy efficiency has intensified
in large-scale systems, in which energy began to dominate
costs, and in mobile systems, which are limited by battery
life. A lack of detailed energy measurements is impairing
efforts to reduce energy consumption on modern workloads.
a
  Energy = power × execution time.
doi:10.1145/ 2209249 . 2 2 0 9 2 72
Society has benefited enormously from exponential
­ ardware performance improvements. Moore observed that
h
transistors will be smaller and more numerous in each new
generation.15 For a long time, this simple rule of integrated
circuit fabrication came with an exponential and transpar-
ent performance dividend. Shrinking a transistor lowers
its gate delay, which raises the processor’s theoretical clock
speed (Dennard scaling3). Until recently, shrinking transis-
tors ­delivered corresponding clock speed increases and more
­transistors in the same chip area. Architects used the transis-
tor bounty to add memory, prefetching, branch prediction,
multiple instruction issue, and deeper pipelines. The result
was exponential single-threaded performance improvements.
Unfortunately, physical power and wire-delay limits
will derail the clock speed bounty of Moore’s law in cur-
rent and future technologies. Power is now a first-order
hardware design constraint in all market segments.
Power constraints now severely limit clock scaling and
prevent using all transistors simultaneously.6, 8, 16 In addi-
tion, the physical limitations of wires prevent single cycle
access to a growing number of the transistors on a chip.9
To effectively use more transistors at smaller technologies,
these limits forced manufacturers to turn to chip multi-
processors (CMPs) and recently to heterogeneous parallel
systems that seek power efficiency through specializa-
tion. Parallel heterogeneous hardware requires parallel
software and exposes software developers to ongoing
hardware upheaval. Unfortunately, most software today
is not parallel, nor is it designed to modularly decompose
onto a heterogeneous substrate.
Moore’s transistor bounty also drove orthogonal and
disruptive changes in how software is deployed, is sold, and
interacts with hardware over this same decade. Demands for
correctness, complexity management, programmer pro-
ductivity, time-to-market, reliability, security, and portability
pushed developers away from low-level compiled ahead-of-time
(native) programming languages. Developers increasingly
Original version: “Looking Back on the Language and Hardware
Revolutions: Measured Power, Performance, and Scaling,” ACM
Conference on Architecture Support for Programming
Languages and Operating Systems, pp. 319–332, Newport
Beach, CA, 2011. Also published as “What Is Happening to
Power, Performance and Software?,” IEEE Micro Top Picks
from the Computer Architecture Conferences of 2011,
May/June 2012, IEEE Computer Society.
ju ly 2 0 1 2 | vo l . 5 5 | n o. 7 | com m u n i c at ion s o f t h e ac m 105
research highlights
choose high-level managed programming languages with
a selection of safe pointer disciplines, garbage collection
(automatic memory management), extensive standard librar-
ies, and dynamic just-in-time compilation for hardware porta-
bility. For example, modern Web services combine managed
languages, such as PHP on the server side and JavaScript on
the client side. In markets as diverse as financial software
and cell phone applications, Java and .NET are the domi-
nant choices. The exponential performance improvements
provided by hardware hid many of the costs of high-level
languages and helped create a virtuous cycle with ever more
capable and high-level software. This ecosystem is result-
ing in an explosion of developers, software, and devices that
continue to change how we live and learn.
Unfortunately, a lack of power measurements is impair-
ing efforts to reduce energy consumption on traditional and
modern software.
2. OVERVIEW
Our work quantitatively examines power, performance,
and scaling during this period of disruptive software and
hardware changes (2003–2011). Voluminous research
explores performance analysis and a growing body of work
explores power (see Section 6), but our work is the first to
systematically measure the power, performance, and energy
characteristics of software and hardware across a range of
processors, technologies, and workloads.
We execute 61 diverse sequential and parallel bench-
marks written in three native languages and one managed
language, all widely used: C, C++, Fortran, and Java. We
choose Java because it has mature virtual machine technol-
ogy and substantial open source benchmarks. We choose
eight representative Intel IA32 processors from five tech-
nology generations (130 nm to 32 nm). Each processor has
an isolated processor power supply with stable voltage on
the motherboard, to which we attach a Hall effect sensor
that measures power supply current, and hence processor
power. We calibrate and validate our sensor data. We find
that power consumption varies widely among benchmarks.
Furthermore, relative performance, power, and energy are
not well predicted by core count, clock speed, or reported
Thermal Design Power (TDP). TDP is the nominal amount
of power the chip is designed to dissipate (i.e., without
exceeding the maximum transistor junction temperature).
Using controlled hardware configurations, we explore the
energy impact of hardware features and workload. We per-
form historical and Pareto analyses that identify the most
power- and performance-efficient designs in our architecture
configuration space. We make all of our data publicly avail-
able in the ACM Digital Library as a companion to our origi-
nal ASPLOS 2011 paper. Our data quantifies a large number
of workload and hardware trends with precision and depth,
some known and many previously unreported. This paper
highlights eight findings, which we list in Figure 1. Two
themes emerge from our analysis: workload and architecture.
Workload. The power, performance, and energy trends of
native workloads substantially differ from managed and par-
allel native workloads. For example, (a) the SPEC CPU2006
native benchmarks draw significantly less power than
106 comm unicatio ns o f t h e ac m | j u ly 201 2 | vol. 5 5 | no. 7
Figure 1. Eight findings from an analysis of measured chip power,
performance, and energy on 61 workloads and eight processors.
The ASPLOS paper includes more findings and analysis.
Findings
Power consumption is highly application dependent and is poorly correlated
to TDP.
Power per transistor is relatively consistent within microarchitecture family,
independent of process technology.
Energy-efficient architecture design is very sensitive to workload.
Configurations in the native non-scalable Pareto Frontier substantially differ
from all the other workloads.
Comparing one core to two, enabling a core is not consistently energy efficient.
The Java Virtual Machine induces parallelism into the execution of single-
threaded Java benchmarks.
Simultaneous multithreading delivers substantial energy savings for recent
hardware and for in-order processors.
Two recent die shrinks deliver similar and surprising reductions in energy,
even when controlling for clock frequency.
Controlling for technology, hardware parallelism, and clock speed, the out-of-
order architectures have similar energy efficiency as the in-order ones.
­ arallel benchmarks and (b) managed runtimes exploit par-
p
allelism even when executing single-threaded applications.
The results recommend that systems researchers include
managed and native, sequential and parallel workloads
when designing and evaluating energy-efficient systems.
Architecture. Hardware features such as clock scaling,
gross microarchitecture, simultaneous multithreading, and
chip multiprocessors each elicit a huge variety of power,
performance, and energy responses. This variety and the
difficulty of obtaining power measurements recommend
exposing on-chip power meters and, when possible, power
meters for individual structures, such as cores and caches.
Modern processors include power management techniques
that monitor power sensors to minimize power usage and
boost performance. However, only in 2011 (after our origi-
nal paper) did Intel first expose energy counters, in their
production Sandy Bridge processors. Just as hardware event
counters provide a quantitative grounding for performance
innovations, future architectures should include power and/or
energy meters to drive innovation in the power-constrained
computer systems era.
Measurement is key to understanding and optimization.
3. METHODOLOGY
This section presents an overview of essential elements of
our methodology. We refer the reader to the original paper
for a more detailed treatment.
3.1. Software
We systematically explore workload selection and show that it
is a critical component for analyzing power and performance.
Native and managed applications embody different trade-offs
between performance, reliability, portability, and deployment.
It is impossible to meaningfully separate language from
workload and we offer no commentary on the virtue of lan-
guage choice. We create four workloads from 61 benchmarks.
Native non-scalable: C, C++, and Fortran single-threaded
compute-intensive benchmarks from SPEC CPU2006.
Native scalable: Multithreaded C and C++ benchmarks from
PARSEC.
Java non-scalable: Single and multithreaded benchmarks
that do not scale well from SPECjvm, DaCapo 06-10-MR2,
DaCapo 9.12, and pjbb2005.
Java scalable: Multithreaded Java benchmarks from DaCapo
9.12 that scale in performance similarly to native scalable
on the i7 (45).
We execute the Java benchmarks on the Oracle HotSpot 1.6.0
virtual machine because it is a mature high-performance
­virtual machine. The virtual machine dynamically optimizes
each benchmark on each architecture. We use best practices for
virtual machine measurement of steady state performance.2
We compile the native non-scalable workload with icc at –o3.
We use gcc at –o3 for the native scalable workload because
icc did not correctly compile all benchmarks. The icc compiler
generates better performing code than gcc. We execute the
same native binaries on all machines. All the parallel native
benchmarks scale up to eight hardware ­contexts. The Java scal-
able workload is the subset of Java benchmarks that scale well.
3.2. Hardware
Table 1 lists our eight Intel IA32 processors which cover four
process technologies (130 nm, 65 nm, 45 nm, and 32 nm)
and four microarchitectures (NetBurst, Core, Bonnell, and
Nehalem). The release price and date give context regarding
Intel’s market placement. The Atoms and the Core 2Q (65)
Kentsfield are extreme market points. These processors are
only examples of many processors in each family. For example,
Intel sells over 60 Nehalems at 45 nm, ranging in price from
around $190 to over $3700. We believe that these samples are
representative because they were sold at similar price points.
To explore the influence of architectural features, we selec-
tively down-clock the processors, disable cores on these chip
multiprocessors (CMP), disable simultaneous multithread-
ing (SMT), and disable Turbo Boost using BIOS configuration.
3.3. Power, performance, and energy measurement
We isolate the direct current (DC) power supply to the pro-
cessor on the motherboard and measure its current with
Pololu’s ACS714 current sensor board. The supply voltage
is very stable, varying by less than 1%, which enables us to
correctly calculate power. Prior work used a clamp amme-
ter, which can only measure alternating current (AC), and is
therefore limited to measuring the whole system.10, 12 After
publishing the original paper, Intel made chip-level and
core-level energy measurements available on Sandy Bridge
processors.4 Our methodology should slightly overstate chip
power because it includes losses due to the motherboard’s
voltage regulator. Validating against the Sandy Bridge energy
counter shows that our power measurements consistently
measure about 5% more current.
We execute each benchmark multiple times on every
architecture, log its power values, and then compute average
power consumption. The aggregate 95% confidence inter-
vals of execution time and power range from 0.7% to 4%. The
measurement error in time and power for all processors and
benchmarks is low. We compute arithmetic means over the
four workloads, weighting each workload equally. To avoid
biasing performance measurements to any one architec-
ture, we compute a reference performance for each bench-
mark by averaging the execution time on four architectures:
Pentium 4 (130), Core 2D (65), Atom (45), and i5 (32). These
choices capture four microarchitectures and four technol-
ogy generations. We also normalize energy to a reference,
since energy = power × time. The reference energy is the aver-
age benchmark power on the four processors multiplied by
their average execution time.
We measure the 45 processor configurations (8 stock
and 37 BIOS configurations) and produce power and

Table 1. Specifications for the eight processors used in the experiments.

VID
Release Price CMP Clock Trans Die Range TDP FSB B/W DRAM
Processor mArch Processor sSpec date (USD) SMT LLC (B) (GHz) nm M (mm2) (V) (W) (MHz) (GB/s) Model
Pentium 4 NetBurst Northwood SL6WF May ‘03 – 1C2T 512K 2.4 130 55 131 – 66 800 – DDR-
400
Core 2 Duo Core Conroe SL9S8 Jul ‘06 316 2C1T 4M 2.4 65 291 143 0.85– 65 1066 – DDR2-
E6600 1.50 800
Core 2 Quad Core Kentsfield SL9UM Jan ‘07 851 4C1T 8M 2.4 65 582 286 0.85– 105 1066 – DDR2-
Q6600 1.50 800
Core i7 Nehalem Bloomfield SLBCH Nov ‘08 284 4C2T 8M 2.7 45 731 263 0.80– 130 – 25.6 DDR3-
920 1.38 1066
Atom Bonnell Diamondville SLB6Z Jun ‘08 29 1C2T 512K 1.7 45 47 26 0.90– 4 533 – DDR2-
230 1.16 800
Core 2 Duo Core Wolfdale SLGTD May ‘09 133 2C1T 3M 3.1 45 228 82 0.85– 65 1066 – DDR2-
E7600 1.36 800
Atom Bonnell Pineview SLBLA Dec ‘09 63 2C2T 1M 1.7 45 176 87 0.80– 13 665 – DDR2-
D510 1.17 800
Core i5 Nehalem Clarkdale SLBLT Jan ‘10 284 2C2T 4M 3.4 32 382 81 0.65– 73 – 21.0 DDR3-
670 1.40 1333

ju ly 2 0 1 2 | vo l . 5 5 | n o. 7 | com m u n i c at ion s o f t h e ac m 107

research highlights
performance data for each benchmark and processor.
Figure 2 shows an example of this data, plotting the power
versus performance characteristics for one of the 45 proces-
sor configurations, the stock i7 (45).
4. PERSPECTIVE
We organize our analysis into eight findings, as summarized
in Figure 1. The original paper contains additional analyses
and findings. We begin with broad trends. We show that
applications exhibit a large range of power and performance
characteristics that are not well summarized by a single
number. This section conducts a Pareto energy efficiency
analysis for all of the 45 nm processor configurations. Even
with this modest exploration of architectural features, the
results indicate that each workload prefers a different hard-
ware configuration for energy efficiency.
4.1. Power is application dependent
The nominal thermal design power (TDP) for a processor is
the amount of power the chip may dissipate without exceed-
ing the maximum transistor junction temperature. Table 1
lists TDP for each processor. Because measuring real proces-
sor power is difficult and TDP is readily available, TDP is often
substituted for real measured power. Figure 3 shows that this
substitution is problematic. It plots measured power on a log-
arithmic scale for each benchmark on each stock processor
as a function of TDP and indicates TDP with an “✗.” TDP is
strictly higher than actual power. The gap between peak mea-
sured power and TDP varies from processor to processor and
TDP is up to a factor of four higher than measured power. The
variation among benchmarks is highest on the i7 (45) and i5
(32), likely reflecting their advanced power management. For
example, on the i7 (45), measured power varies between 23 W
for 471.omnetpp and 89 W for fluidanimate! The smallest
Figure 2. Power/performance distribution on the i7 (45). Each point
represents one of the 61 benchmarks. Power consumption is highly
variable among the benchmarks, spanning from 23 W to 89 W. The
wide spectrum of power responses from different applications
points to power saving opportunities in software.
100
90
80
70
Power (W)
60
50
40
30
20
2.00 3.00 4.00 5.00 6.00 7.00
Performance/Reference
Native non-scale Native scale
Java non-scale Java scale
108 co m municatio ns of t h e ac m | j u ly 201 2 | vol . 5 5 | no. 7
variation between maximum and minimum is on the Atom
(45) at 30%. This trend is not new. All the processors exhibit
a range of benchmark-specific power variation. TDP loosely
correlates with power consumption, but it does not provide a
good estimate for (1) maximum power consumption of indi-
vidual processors, (2) comparing among processors, or (3)
approximating benchmark-specific power consumption.
Finding: Power consumption is highly application dependent
and is poorly correlated to TDP.
Figure 2 plots power versus relative performance for each
benchmark on the i7 (45), which has eight hardware contexts
and is the most recent of the 45 nm processors. Native (red) and
managed (green) are differentiated by color, whereas scalable
(triangle) and non-scalable (­ circle) are differentiated by shape.
Unsurprisingly, the scalable benchmarks (triangles) tend to
perform the best and consume the most power. More unex-
pected is the range of power and performance characteristics of
the non-scalable benchmarks. Power is not strongly correlated
with performance across workload or benchmarks. The points
would form a straight line if the correlation were strong. For
example, the point on the bottom right of the figure achieves
almost the best relative performance and lowest power.
4.2. Historical overview
Figure 4(a) plots the average power and performance for
each processor in their stock configuration relative to the
reference ­performance, using a log/log scale. For example,
the i7 (45) points are the average of the workloads derived
from the points in Figure 2. Both graphs use the same color
for all of the experimental processors in the same family.
The shapes encode release age: a square is the oldest, the
diamond is next, and the triangle is the youngest, smallest
technology in the family.
Figure 3. Measured power for each processor running 61 benchmarks.
Each point represents measured power for one benchmark. The
“✗”s are the reported TDP for each processor. Power is application
dependent and does not strongly correlate with TDP.
100
Measured power (W) (log)
10
8.00 1
1 10 100
TDP (W) (log)
P4 (130) C2D (65) C2Q (65) i7 (45)
Atom (45) C2D (45) AtomD (45) i5 (32)
Figure 4. Power/performance trade-off by processor. Each point is
an average of the four workloads. (a) Power/performance trade-offs
have changed from Pentium 4 (130) to i5 (32). (b) Power and
performance per million transistors. Power per million transistors
is consistent across different microarchitectures regardless of the
technology node. On average, Intel processors burn around 1 W for
every 20 million transistors.
Power (W) (log)
20.0
2.0
0.30 3.00
Performance/Reference performance (log)
(a)
Power (W)/106 transistors (log)
0.22
0.02
0.004 0.008 0.012 0.016
6
Performance/10 transistors (log)
(b)
While historically mobile devices have been extensively
optimized for power, general-purpose processor design
has not. Several results stand out that illustrate that power
is now a first-order design goal and trumps performance in
some cases. (1) The Atom (45) and Atom D (45) are designed
as low-power processors for a different market; however,
they successfully execute all these benchmarks and are the
most power-efficient processors. Compared to the Pentium 4
(130), they degrade performance modestly and reduce power
enormously, consuming as little as one-twentieth the power.
Device scaling from 130 nm to 45 nm contributes ­significantly
to the power reduction from Pentium to Atom. (2) A compari-
son between 65 nm and 45 nm generations using the Core 2D
(65) and Core 2D (45) shows only a 25% increase in perfor-
mance, but a 35% drop in power. (3) A comparison of the two
most recent 45 nm and 32 nm generations using the i7 (45) and
i5 (32) shows that the i5 (32) delivers about 15% less perfor-
mance, while consuming about 40% less power. This result
has three root causes: (a) the i7 (45) has four cores instead
of two on the i5 (32); (b) since half the benchmarks are scal-
able multithreaded benchmarks, the software parallelism
benefits more from the additional two cores, increasing the
advantage to the i7 (45); and (c) the i7 (45) has significantly
better memory performance. Comparing the Core 2D (45) to
the i5 (32) where the number of processors are matched, we
find that the i5 (32) delivers 50% better performance, while
consuming around 25% more power than the Core 2D (45).
Contemporaneous comparisons also reveal the ten-
sion between power and performance. For example, the
contrast between the Core 2D (45) and i7 (45) shows that
the i7 (45) delivers 75% more performance than the Core
2D (45), but this performance is very costly in power, with
Pentium4 (130) an increase of nearly 100%. These processors thus span a
C2D (65) wide range of energy trade-offs within and across the gen-
C2Q (65) erations. Overall, these results indicate that optimizing for
i7 (45) both power and performance is proving a lot more chal-
Atom (45) lenging than optimizing for performance alone.
C2D (45) Figure 4(b) explores the effect of transistors on power and
performance by dividing them by the number of transistors
AtomD (45)
in the package for each processor. We include all transistors
i5 (32)
because our power measurements occur at the level of the
package, not the die. This measure is rough and will downplay
results for the i5 (32) and Atom D (45), each of which have a
Graphics Processing Unit (GPU) in their package. Even though
the benchmarks do not exercise the GPUs, we cannot discount
Pentium4 (130) them because the GPU transistor counts on the Atom D (45)
C2D (65) are undocumented. Note the similarity between the Atom (45),
C2Q (65) AtomD (45), Core 2D (45), and i5 (32), which at the bottom right
of the graph are the most efficient processors by the transistor
i7 (45)
Atom (45) metric. Even though the i5 (32) and Core 2D (45) have five to
eight times more transistors than the Atom (45), they all eke
C2D (45)
out very similar performance and power per transistor. There
AtomD (45)
are likely bigger differences to be found in power efficiency per
i5 (32)
transistor between chips from different manufacturers.
Finding: Power per transistor is relatively consistent within micro-
architecture family, independent of process technology.
The leftmost processors in the graph yield the smallest
amount of performance per transistor. Among these proces-
sors, the Core 2Q (65) and i7 (45) yield the least performance
per transistor and use the largest caches among our set. The
large 8MB caches are not effective. The Pentium 4 (130) is per-
haps most remarkable—it yields the most performance per
transistor and consumes the most power per transistor by a
considerable margin. In summary, performance per transistor
is inconsistent across microarchitectures, but power per tran-
sistor is more consistent. Power per transistor correlates well
with microarchitecture, regardless of technology generation.
4.3. Pareto analysis at 45 nm
The Pareto optimal frontier defines a set of choices that are
most efficient in a trade-off space. Prior research uses the
Pareto frontier to explore power versus performance using
models to derive potential architectural designs on the fron-
tier.1 We present a Pareto frontier derived from measured
performance and power. We hold the process technology con-
stant by using the four 45 nm processors: Atom (45), Atom
D (45), Core 2D (45), and i7 (45). We expand the number of
processor configurations from 4 to 29 by configuring the
number of hardware contexts (SMT and CMP), by clock scal-
ing, and disabling/enabling Turbo Boost. The 25 non-stock
configurations represent alternative design points. For each
configuration, we compute the averages for each workload
ju ly 2 0 1 2 | vo l . 5 5 | n o. 7 | c om m u n i c at ion s of t h e acm 109
research highlights

and their average to produce an energy/performance scat-
ter plot (not shown here). We next pick off the frontier—the
points that are not dominated in performance or energy effi-
ciency by any other point—and fit them with a polynomial
curve. Figure 5 plots these polynomial curves for each work-
load and the average. The rightmost curve delivers the best
performance for the least energy.
Each row of Figure 6 corresponds to one of the five curves
in Figure 5. The check marks identify the Pareto-efficient
configurations that define the bounding curve and include
15 of 29 configurations. Somewhat surprising is that none of
the Atom D (45) configurations are Pareto efficient. Notice
the following: (1) Native non-scalable shares only one choice
with any other workload. (2) Java scalable and the average
share all the same choices. (3) Only two of eleven choices
for Java non-scalable and Java scalable are common to both.
(4) Native non-scalable does not include the Atom (45) in
its frontier. This last finding contradicts prior simulation
work, which concluded that dual-issue in-order cores and
dual-issue out-of-order cores are Pareto optimal for native
non-scalable.1 Instead, we find that all of the Pareto-efficient
points for native non-scalable in this design space are
quad-issue out-of-order i7 (45) configurations.
Figure 5 starkly shows that each workload deviates sub-
stantially from the average. Even when the workloads share
Figure 5. Energy/performance Pareto frontiers (45 nm). The energy/
performance optimal designs are application dependent and
significantly deviate from the average case.
0.60
Normalized workload energy
points, the points fall in different places on the curves
because each workload exhibits a different energy/perfor-
mance trade-off. Compare the scalable and non-scalable
benchmarks at 0.40 normalized energy on the y-axis. It is
impressive how well these architectures effectively exploit
software parallelism, pushing the curves to the right and
increasing performance from about 3 to 7 while holding
energy constant. This measured behavior confirms prior
model-based observations about the role of software parallel-
ism in extending the energy/performance curve to the right.1
Finding: Energy-efficient architecture design is very sensitive to
workload. Configurations in the native non-scalable
Pareto frontier differ substantially from all other
workloads.
In summary, architects should use a variety of workloads,
and in particular, should avoid only using native non-scalable
workloads.
5. FEATURE ANALYSIS
Our original paper evaluates the energy effect of a range of
hardware features: clock frequency, die shrink, memory
hierarchy, hardware parallelism, and gross microarchitec-
ture. This analysis resulted in a large number of findings
and insights. Reader and reviewer feedback yielded a diver-
sity of opinions as to which findings were most surprising
and interesting. This section presents results exploring chip
multiprocessing (CMP), simultaneous multithreading (SMT),
technology scaling with a die shrink, and gross microarchi-
tecture, to give a flavor of our analysis.

0.55
0.50
0.45
5.1. Chip multiprocessors
0.40
Average Figure 7 shows the average power, performance, and energy
0.35 Native non-scale effects of chip multiprocessors (CMPs) by comparing one
0.30 Native scale core to two cores for the two most recent processors in our
0.25 Java non-scale study. We disable Turbo Boost in these analyses because
0.20 Java scale it adjusts power dynamically based on the number of idle
0.15 cores. We disable Simultaneous Multithreading (SMT)
0.00 2.00 4.00 6.00
to maximally expose thread-level parallelism to the CMP
Workload performance/Workload reference performance
hardware feature. Figure 7(a) compares relative power, per-
formance, and energy as a weighted average of the work-
loads. Figure 7(b) shows a break down of the energy as a
Figure 6. Pareto-efficient processor configurations for each function of workload. While average energy is reduced by
workload. Stock configurations are bold. Each “✔” indicates that the 9% when adding a core to the i5 (32), it is increased by 12%
configuration is on the energy/performance Pareto-optimal curve.
Native non-scalable has almost no overlap with any other workload.
when adding a core to the i7 (45). Figure 7(a) shows that the
source of this difference is that the i7 (45) experiences twice
the power overhead for enabling a core as the i5 (32), while
i7( )1C2 @2. Hz N GHz

Hz B
i7( 4C @1. Hz oTB
i7( )1C2 @1. Hz TB
z

.7G NoT
i7( )1C1 5)2C @1.6 z
T@ 1T@ GH
H

producing roughly the same ­performance improvement.

o
T 7G 3.1

i7( )4C2 @2. Hz N

i7( 2D( )2C1 1.7G

i7( )4C @2. Hz

@2 Hz
i7( )2C2 @1. Hz

2T 2.7G z
i7( 4C1 @2. Hz
i7( )2C1 @2. Hz

i7( )4C @1. Hz

H
45 2T 6G
T 4G

45 2T@ 1G
T 7G
T 7G
45 1T 6G
T 6G

T 6G
@

G
T

Finding: Comparing one core to two, enabling a core is not

Co D(4 2T

i7( 1C1 2.
re2 )1C

consistently energy efficient.

T
5
45 4
Co (45

)4C
)

)
m

re

45
45
45
45
45
45

45
45
Ato

Figure 7(b) shows that native non-scalable and Java non-

Native non-scalable     scalable suffer the most energy overhead with the addition
Native scalable      
Java non-scalable        of another core on the i7 (45). As expected, performance
Java scalable      for native non-scalable is unaffected. However, turning on
Average      an additional core for native non-scalable leads to a power
increase of 4% and 14%, respectively, for the i5 (32) and

110 co m munic atio ns of t h e ac m | j u ly 201 2 | vol . 5 5 | no. 7

Figure 7. CMP: Comparing two cores to one core. (a) Impact of
doubling the number of cores on performance, power, and energy,
averaged over all four workloads. (b) Energy impact of doubling
the number of cores for each workload. Doubling the cores is not
consistently energy efficient among processors or workloads.
1.60
1.50
1.40
Figure 8. Scalability of single-threaded Java benchmarks.
Counterintuitively, some single-threaded Java benchmarks scale
well. This is because the underlying JVM exploits parallelism for
compilation, profiling, and garbage collection.
1.60
1.50
1.40

2 Cores/1 Core
2 Cores/1 Core

1.30
1.20 1.30
1.10 1.20
1.00
0.90 1.10
0.80 1.00
0.70
0.60 0.90
Performance Power Energy

tlr

ck

db

ss

io

c
s
oa
de

va
fo

es

ud
je
ja
an

bl

ja
in

pr

ga
i7 (45) i5 (32)

lu

pe
co

m
(a)
1.20
1.10 Figure 9. SMT: one core with and without SMT. (a) Impact of enabling
2 Cores/1 Core

1.00 two-way SMT on a single-core with respect to performance, power, and

energy, averaged over all four workloads. (b) Energy impact of enabling
0.90
two-way SMT on a single core for each workload. Enabling SMT delivers
0.80 significant energy savings on the recent i5 (32) and the in-order Atom (45).
0.70 1.60
0.60 1.50
1.40
2 Threads/1 Thread

Native Native Java Java

non-scale scale non-scale scale 1.30
1.20
i7 (45) i5 (32)
1.10
(b) 1.00
0.90
0.80
i7 (45), translating to energy overheads. 0.70
0.60
More interesting is that Java non-scalable does not incur Performance Power Energy
energy overhead when enabling another core on the i5 (32).
Pentium 4 (130) i7 (45) Atom (45) i5 (32)
In fact, we were surprised to find that the reason for this is
that the single-threaded Java non-scalable workload runs (a)
faster with two processors! Figure 8 shows the scalability 1.20
of the single-threaded subset of Java non-scalable on the 1.10
2 Threads/1 Thread

i7 (45), with SMT disabled, comparing one and two cores.

1.00
Although these Java benchmarks are single-threaded, the
JVMs on which they execute are not. 0.90
0.80
Finding: The JVM induces parallelism into the execution of sin- 0.70
gle-threaded Java benchmarks. 0.60
Native Native Java Java
Since virtual machine runtime services for managed lan- non-scale scale non-scale scale
guages, such as just-in-time (JIT) compilation, profiling, and Pentium 4 (130) i7 (45) Atom (45) i5 (32)
garbage collection, are often concurrent and parallel, they (b)
provide substantial scope for parallelization, even within
ostensibly sequential applications. We instrumented the
HotSpot JVM and found that its JIT compilation and gar- and i7 (45). Each processor supports two-way SMT. SMT pro-
bage collection are parallel. Detailed performance counter vides fine-grain parallelism to distinct threads in the proces-
measurements revealed that the garbage collector induced sors’ issue logic and in modern implementations; threads
memory system improvements with more cores by reducing share all processor components (e.g., execution units and
the collector’s d
­ isplacement effect on the application thread. caches). Singhal states that the small amount of logic exclu-
sive to SMT consumes very little power.18 Nonetheless, this
5.2. Simultaneous multithreading logic is integrated, so SMT contributes a small amount to
Figure 9 shows the effect of disabling simultaneous multi- total power even when disabled. Our results therefore slightly
threading (SMT)19 on the Pentium 4 (130), Atom (45), i5 (32), underestimate the power cost of SMT. We use only one core,

ju ly 2 0 1 2 | vo l . 5 5 | n o. 7 | com m u n i c at ion s o f t h e acm 111

research highlights

ensuring that SMT is the sole opportunity for thread-level
parallelism. Figure 9(a) shows that the performance advan-
tage of SMT is significant. Notably, on the i5 (32) and Atom
(45), SMT improves average performance significantly with-
out much cost in power, leading to net energy savings.
Figure 10. Die shrink: microarchitectures compared across technology
nodes. “Core” shows Core 2D (65)/Core 2D (45) while “Nehalem”
shows i7 (45)/i5 (32) when two cores are enabled. (a) Each processor
uses its native clock speed. (b) Clock speeds are matched in each
comparison. (c) Energy impact with matched clocks, as a function of
workload. Both die shrinks deliver substantial energy reductions.

Finding: SMT delivers substantial energy savings for recent 1.20

Core Nehalem 2C2T
hardware and for in-order processors. 1.00
0.80

New/Old
Given that SMT was and continues to be motivated by the
0.60
challenge of filling issue slots and hiding latency in wide
issue superscalars, it may appear counterintuitive that 0.40
performance on the dual-issue in-order Atom (45) should 0.20
benefit so much more from SMT than the quad-issue i7
0.00
(45) and i5 (32) benefit. One explanation is that the in-order Performance Power Energy
pipelined Atom (45) is more restricted in its capacity to fill
(a)
issue slots. Compared to other processors in this study, the
Atom (45) has much smaller caches. These features accen- 1.20
tuate the need to hide latency, and therefore the value of Core 2.4 GHz Nehalem 2C2T 2.6 GHz
1.00
SMT. The performance improvements on the Pentium 4
(130) due to SMT are half to one-third that of more recent New/Old 0.80
processors, and consequently, there is no net energy advan- 0.60
tage. This result is not so surprising given that the Pentium
0.40
4 (130) is the first commercial implementation of SMT.
Figure 9(b) shows that, as expected, the native non-scal- 0.20
able workload experiences very little energy overhead due 0.00
to enabling SMT, whereas Figure 7(b) shows that enabling a Performance Power Energy
core incurs a significant power and thus energy penalty. The (b)
scalable workloads unsurprisingly benefit most from SMT.
The excellent energy efficiency of SMT is impressive on 0.65
Core 2.4 GHz Nehalem 2C2T 2.6 GHz
recent processors as compared to CMP, particularly given 0.60
its very low die footprint. Compare Figures 7 and 9. SMT 0.55
New/Old

provides less performance improvement than CMP—SMT 0.50

adds about half as much performance as CMP on average
but incurs much less power cost. The results on the modern
processors show that SMT in a much more favorable light
than in Sasanka et al.’s model-based comparative study of
the energy efficiency of SMT and CMP.17
5.3. Die shrink
We use processor pairs from the Core (Core 2D (65)/Core
2D (45) ) and Nehalem (i7 (45)/i5 (32) ) microarchitectures to
explore die shrink effects. These hardware comparisons are
imperfect because they are not straightforward die shrinks.
To limit the differences, we control for hardware parallelism
by limiting the i7 (45) to two cores. The tools and processors
at our disposal do not let us control the cache size, nor do
they let us control for other microarchitecture changes that
accompany a die shrink. We compare at stock clock speeds
and control for clock speed by running both Cores at 2.4 GHz
and both Nehalems at 2.66 GHz. We do not directly control
for core voltage, which differs across technology nodes
for the same frequency. Although imperfect, these are the
first published comparisons of measured energy efficiency
across technology nodes.
Finding: Two recent die shrinks deliver similar and surprising
reductions in energy, even when controlling for clock
frequency.
0.45
0.40
0.35
0.30
Native Native Java Java
non-scale scale non-scale scale
(c)
Figure 10(a) shows the power and performance effects of
the die shrinks with the stock clock speeds for all the pro-
cessors. Figure 10(b) shows the same comparison with
matched clock speeds, and Figure 10(c) breaks down the
workloads for the matched clock speeds. The newer proces-
sors are significantly faster at their higher stock clock speeds
and significantly more power efficient. Figure 10(b) shows
the same experiment, but down-clocking the newer pro-
cessors to match the frequency of their older peers. Down-
clocking the new processors improves their relative power
and energy advantage even further. Note that as expected,
the die-shrunk processors offer no performance advantage
once the clocks are matched; indeed, the i5 (32) performs
10% slower than the i7 (45). However, power consumption
is reduced by 47%. This result is consistent with expecta-
tions, given the lower voltage and reduced capacitance at the
smaller feature size.

112 c o mm unicatio ns o f th e acm | j u ly 201 2 | vol . 5 5 | no. 7

 Figures 10(a) and (b) reveal a striking similarity in power
and energy savings between the Core (65 nm/45 nm) and
Nehalem (45 nm/32 nm) die shrinks. This data suggests that
Intel maintained the same rate of energy reduction across the
two most recent generations. As a point of comparison, the
models used by the International Technology Roadmap for
Semiconductors (ITRS) predicted a 9% increase in frequency
and a 34% reduction in power from 45 nm to 32 nm.11 Figure
10(a) is both more and less encouraging. Clock speed increased
by 26% in the stock configurations of the i7 (45) to the i5 (32)
with an accompanying 14% increase in performance, but power
reduced by 23%, less than the 34% predicted. To more deeply
understand die shrink efficiency on modern processors, one
requires measuring more processors in each technology node.
5.4. Gross microarchitecture change
This section explores the power and performance effect of
gross microarchitectural change by comparing microarchitec-
tures while matching features such as processor clock, degree
of hardware parallelism, process technology, and cache size.
Figure 11 compares the Nehalem i7 (45) with the NetBurst
Pentium 4 (130), Bonnell Atom D (45), and Core 2D (45) micro-
architectures, and it compares the Nehalem i5 (32) with the
Core 2D (65). Each comparison configures the Nehalems to
match the clock speed, number of cores, and hardware threads
of the other architecture. Both the i7 (45) and i5 (32) compari-
sons to the Core show that the move from Core to Nehalem
Figure 11. Gross microarchitecture: a comparison of Nehalem with
four other microarchitectures. In each comparison, the Nehalem
is configured to match the other processor as closely as possible.
(a) Impact of microarchitecture change with respect to performance,
power, and energy, averaged over all four workloads. (b) Energy
impact of microarchitecture for each workload. The most recent
microarchitecture, Nehalem, is more energy efficient than the
others, including the low-power Bonnell (Atom).
Bonnell: i7 (45)/AtomD (45) NetBurst: i7 (45)/Pentium4 (130)
Core: i7 (45)/C2D (45) Core: i5 (32)/C2D (65)
3.00
2.50
Nehalem/Other
2.00
1.50
1.00
0.50
0.00
Performance Power
(a)
1.20
1.00
Nehalem/Other
0.80
0.60
0.40
0.20
0.00
Native Native Java
non-scale scale non-scale
(b)
yields a small 14% performance improvement. This finding is
not inconsistent with Nehalem’s stated primary design goals,
that is, delivering scalability and memory performance.
Finding: Controlling for technology, hardware parallelism,
and clock speed, the out-of-order architectures have
similar energy efficiency as the in-order ones.
The comparisons between the i7 (45) and Atom D (45) and
Core 2D (45) hold process technology constant at 45 nm. All
three processors are remarkably similar in energy consump-
tion. This outcome is all the more interesting because the i7
(45) is disadvantaged since it uses fewer hardware contexts
here than in its stock configuration. Furthermore, the i7 (45)
integrates more services on-die, such as the memory control-
ler, that are off-die on the other processors, and thus outside
the scope of the power meters. The i7 (45) improves upon
the Core 2D (45) and Atom D (45) with a more scalable, much
higher bandwidth on-chip interconnect, which is not exer-
cised heavily by our workloads. It is impressive that, despite
all of these factors, the i7 (45) delivers similar energy effi-
ciency to its two 45 nm peers, particularly when compared to
the low-power in-order Atom D (45). It is unsurprising that
the i7 (45) performs 2.6× faster than the Pentium 4 (130),
while consuming one-third the power, when controlling for
clock speed and hardware parallelism (but not for factors
such as memory speed). Much of the 50% power improve-
ment is attributable to process technology advances. This
speedup of 2.6 over 7 years is however substantially less than
the historical factor of 8 improvement experienced in every
prior 7-year time interval between 1970 through the early
2000s. This difference in improvements marks the begin-
ning of the power-constrained architecture design era.
6. RELATED WORK
The processor design literature is full of performance mea-
surement and analysis. Despite power’s growing impor-
tance, power measurements are still relatively rare.7,10,12 Here,
we summarize related power measurement and s­ imulation
work. Our original paper contains a fuller treatment.
Power measurement. Isci and Martonosi combine a clamp
ammeter with performance counters for per unit power esti-
mation of the Intel Pentium 4 on SPEC CPU2000.10 Fan et al.
estimate whole system power for large-scale data centers.7
They find that even the most power-consuming workloads
draw less than 60% of peak possible power consumption.
Energy We measure chip power and support their results by show-
ing that TDP does not predict measured chip power. Our
work is the first to compare microarchitectures, technology
generations, individual benchmarks, and workloads in the
context of power and performance.
Power modeling. Power modeling is necessary to thor-
oughly explore architecture design.1, 13, 14 Measurement
complements simulation by providing validation. For exam-
ple, some prior simulators used TDP, but our measure-
Java
ments show that it is not accurate. As we look to the future,
scale we believe that programmers will need to tune their appli-
cations for power and energy, not only performance. Just
as hardware performance counters provide insight into
ju ly 2 0 1 2 | vo l . 5 5 | n o. 7 | c om m u n ic at ion s o f t h e ac m 113
research highlights

applications, so will power and energy measurements. 2. Blackburn, S.M. et al. Wake up
Methodology. Although the results show conclusively that and smell the coffee: Evaluation
methodologies for the 21st century.
managed and native workloads have different responses CACM 51, 8 (2008), 83–89.
to architectural variations, perhaps this result should not 3. Bohr, M. A 30 year retrospective on
Dennard’s MOSFET scaling paper. IEEE
be surprising. Unfortunately, few architecture or operating SSCS Newsletter 12, 1 (2007), 11–13
(http://dx.doi.org/10.1109/N-SSC.2007.
system publications with processor measurements or sim- 4785534).
ulated designs use Java or any other managed workloads, 4. David, H., Gorbatov, E., Hanebutte, U.R.,
Khanna, R., Le, C. RAPL: memory power
even though the evaluation methodologies we use here for estimation and capping. In ISLPED
real processors and those for simulators are well developed.2 (2010).
5. Emer, J.S., Clark, D.W. A characterization
of processor performance in the VAX-
7. CONCLUSION 11/780. In ISCA (1984).
6. Esmaeilzadeh, H., Blem, E., St. Amant,
These extensive experiments and analyses yield a wide R., Sankaralingam, K., Burger, D. Dark
range of findings. On this basis, we offer the following rec- silicon and the end of multicore scaling.
In ISCA (2011).
ommendations in this critical time period of hardware and 7.  Fan, X., Weber, W.D., Barroso, L.A. Power
software upheaval. Manufacturers should expose on-chip provisioning for a warehouse-sized
computer. In ISCA (2007).
power meters to the community. System software and appli- 8. Hardavellas, N., Ferdman, M., Falsafi,
cation developers should understand and optimize power. B., Ailamaki, A. Toward dark silicon in
servers. IEEE Micro 31, 4 (2011), 6–15.
Researchers should use both managed and native workloads 9. Hrishikesh, M.S., Burger, D., Jouppi, N.P.,
to quantitatively examine their innovations. Researchers Keckler, S.W., Farkas, K.I., Shivakumar,
P. The optimal logic depth per pipeline
should measure power and performance to understand and stage is 6 to 8 FO4 inverter delays. In
International Symposium on Computer
optimize power, performance, and energy. Architecture (2002).
10. Isci, C., Martonosi, M. Runtime power
monitoring in high-end processors:
Acknowledgments
We thank Bob Edwards, Daniel Frampton, Katherine Coons, Hadi Esmaeilzadeh (hadianeh@
Pradeep Dubey, Jungwoo Ha, Laurence Hellyer, Daniel cs.washington.edu), Department of
Computer Science and Engineering,
Jiménez, Bert Maher, Norm Jouppi, David Patterson, and University of Washington.
John Hennessy. This work is supported by ARC DP0666059
Cao Ting, Stephen M Blackburn, Xi Yang
and NSF CSR-0917191. ({Cao.Ting, Steve.Blackburn, Xi.Yang}@
anu.edu.au), Research School of Computer
References tradeoffs in processor architecture and Science, Australian National University.
1. Azizi, O., Mahesri, A., Lee, B.C., Patel, circuit design: a marginal cost analysis.
S.J., Horowitz, M. Energy-performance In ISCA (2010). © 2012 ACM 0001-0782/12/07 $15.00
Methodology and empirical data. In
MICRO (2003).
11. ITRS Working Group. International tech­
nology roadmap for semiconductors, 2011.
12. Le Sueur, E., Heiser, G. Dynamic voltage
and frequency scaling: the laws of
diminishing returns. In HotPower (2010).
13. Li, S., Ahn, J.H., Strong, R.D., Brockman,
J.B., Tullsen, D.M., Jouppi, N.P. McPAT:
an integrated power, area, and timing
modeling framework for multicore and
manycore architectures. In MICRO (2009).
14. Li, Y., Lee, B., Brooks, D., Hu, Z., Skadron, K.
CMP design space exploration subject to
physical contraints. In HPCA (2006).
15.  Moore, G.E. Cramming more components
onto integrated circuits. Electronics 38, 8
(19 Apr 1965), 114–117.
16.  Mudge, T. Power: a first-class
architectural design constraint.
Computer 34, 4 (Apr. 2001), 52–58.
17. Sasanka, R., Adve, S.V., Chen, Y.K., Debes,
E. The energy efficiency of CMP vs.
SMT for multimedia workloads. In ICS
(2004).
18. Singhal, R. Inside Intel next generation
Nehalem microarchitecture. Intel
Developer Forum (IDF) presentation
(August 2008), 2011.
19. Tullsen, D.M., Eggers, S.J., Levy,
H.M. Simultaneous multithreading:
maximizing on-chip parallelism. In
ISCA (1995).
Kathryn S McKinley (mckinley@
microsoft.com), Microsoft Research,
Redmond, WA; The University of Texas at
Austin, Department of Computer Science,
Austin, TX.

You’ve come a long way.

Share what you’ve learned.

ACM has partnered with MentorNet, the award-winning nonprofit e-mentoring network in engineering,
science and mathematics. MentorNet’s award-winning One-on-One Mentoring Programs pair ACM
student members with mentors from industry, government, higher education, and other sectors.
• Communicate by email about career goals, course work, and many other topics.
• Spend just 20 minutes a week - and make a huge difference in a student’s life.
• Take part in a lively online community of professionals and students all over the world.

Make a difference to a student in your field.

Sign up today at: www.mentornet.net
Find out more at: www.acm.org/mentornet
MentorNet’s sponsors include 3M Foundation, ACM, Alcoa Foundation, Agilent Technologies, Amylin Pharmaceuticals, Bechtel Group Foundation, Cisco
Systems, Hewlett-Packard Company, IBM Corporation, Intel Foundation, Lockheed Martin Space Systems, National Science Foundation, Naval Research
Laboratory, NVIDIA, Sandia National Laboratories, Schlumberger, S.D. Bechtel, Jr. Foundation, Texas Instruments, and The Henry Luce Foundation.

114 co mm unic atio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7


Technical Perspective
Why Study the Price
of Anarchy?
By Amos Fiat
O n M ay 1 6 , 2 0 1 2 , ACM ’ s Special Inter-
est Group on Algorithms and Com-
putation Theory) (SIGACT) and the
European Association for Theoreti-
cal Computer Science (EATCS) an-
nounced the recipients of the 2012
Göedel prize to be awarded for the
papers:
˲˲ “Worst-case Equilibira,” by Elias
Koutsoupias and Christos H. Papad-
imitriou,
˲˲ “How Bad Is Selfish Routing?” by
Tim Roughgarden and Éva Tardos, and
˲˲ “Algorithmic Mechanism Design,”
by Noam Nisan and Amir Ronen.
This happy event will take place
this month at the International Collo-
quium on Automata, Languages and
Programming in Warwick, England. So
it is most fitting that this new paper by
Tim Roughgarden appears in this issue
of Communications.
In 1999, Elias Koutsoupias and
Christos Papadimitriou initiated the
study of “How much worse off are we
due to selfishness?” They compared
the worst case pure Nash equilibria
to the optimal solution (in terms of
some target function, usually, social
welfare). This ratio was later called the
price of anarchy. Study of the price of
anarchy gave birth to an entirely new
field of study.
One of the areas where negative ef-
fects of selfish behavior were observed
was in the context of Wardrop equilib-
ria in the analysis of traffic networks
(essentially, Nash equilibria where
there are infinitely many infinitesi-
mally small agents). Roughgarden and
Tardos showed tight bounds on the
price of anarchy for non-atomic rout-
ing with linear latency functions. The
worst case example was known as the
Braess paradox (D. Braess, 1968), but
Roughgarden and Tardos showed that
this was tight.
There are two troubling issues re-
garding the price of anarchy:
˲˲ The pure Nash equilibria does not
always exist. Mixed strategy (random-
Roughgarden uses
a technique
of “smooth games”
to give bounds,
not only on the price
of anarchy with
respect to pure
Nash equilibria,
but also for much
more general
(and convincing)
settings.
ized) Nash equilibria are guaranteed
to exist.
˲˲ Computing the Nash equilibria is,
in general, difficult. To quote Papad-
imitriou quoting Kamal Jain: “If your
laptop can’t find it then neither can
the market.” So, why study the price of
anarchy of a concept that may not exist
in practice?
In the following paper, Roughgar-
den studies “smooth games” to give
bounds, not only on the price of anar-
chy with respect to pure Nash equilib-
ria, but also for much more general
(and convincing) settings. He extends
the class of games for which this tech-
nique was known to work, and extends
the class of equilibria for which this
technique gives good bounds.
In particular, this technique is
shown to work for so-called “regret-
minimization” dynamics, which are
quite natural and believable as rep-
resenting what really happens. The
resulting bounds hold for regret-mini-
ju ly 2 0 1 2 | vo l. 55 | n o. 7 | c om m u n ic at ion s o f t h e acm
doi:10.1145/ 2209249 . 2 2 0 9 2 73
mization dynamics, which means that
they hold for so-called coarse correlat-
ed equilibria, which implies that they
hold for correlated equilibria, from
which it follows that they hold for
mixed Nash equilibria, and thus for
pure Nash equilibria, when they exist.
Another important contribution
of Roughgarden’s in the following pa-
per is so show there exist interesting
families of games for which smooth
analysis gives the best possible price of
anarchy bounds (with respect to pure
Nash equilibria, and thus with respect
to all classes that include pure Nash
equilibria: mixed, correlated, coarse
correlated, and no-regret dynamics).
For such classes of games, smoothed
analysis gives the total answer, no oth-
er technique is needed.
A caveat to the complete generality
of such smoothness techniques are
other natural dynamics such as best
response dynamics and so-called sink
equilibria for which smooth analysis
may be insufficient to determine the
price of anarchy.
Christodoulou and Koutsoupias
used similar smoothness techniques
to study the (special case) of conges-
tion games, in the context of mixed
and correlated equilibria, for both
the price of anarchy (STOC 2005) and
for the price of stability (ESA 2005).
Smoothness techniques were implic-
itly used in many earlier papers to
price of anarchy results. Many of the
previous price of anarchy results can
be more easily understood by reading
the following paper than by reading
the original.
Amos Fiat is a professor of computer science at Tel Aviv
University, Israel.
© 2012 ACM 0001-0782/12/07 $15.00
115
research highlights
Intrinsic Robustness
of the Price of Anarchy
By Tim Roughgarden
Abstract
The price of anarchy, defined as the ratio of the worst-case
objective function value of a Nash equilibrium of a game
and that of an optimal outcome, quantifies the inefficiency
of selfish behavior. Remarkably good bounds on this mea-
sure are known for a wide range of application domains.
However, such bounds are meaningful only if a game’s
participants successfully reach a Nash equilibrium. This
drawback motivates inefficiency bounds that apply more
generally to weaker notions of equilibria, such as mixed
Nash equilibria and correlated equilibria, or to sequences of
outcomes generated by natural experimentation strategies,
such as simultaneous regret-minimization.
We prove a general and fundamental connection between
the price of anarchy and its seemingly more general rela-
tives. First, we identify a “canonical sufficient condition” for
an upper bound on the price of anarchy of pure Nash equilib-
ria, which we call a smoothness argument. Second, we prove
an “extension theorem”: every bound on the price of anar-
chy that is derived via a smoothness argument extends auto-
matically, with no quantitative degradation in the bound, to
mixed Nash equilibria, correlated equilibria, and the aver-
age objective function value of every no-regret sequence of
joint repeated play. Third, we prove that in routing games,
smoothness arguments are “complete” in a proof-theoretic
sense: despite their automatic generality, they are guaran-
teed to produce an optimal worst-case upper bound on the
price of anarchy.
1. INTRODUCTION
Every student of game theory learns early and often that
equilibria are inefficient—self-interested behavior by auton-
omous decision makers generally leads to an outcome
inferior to the one that a hypothetical benevolent dictator
would choose. Such inefficiency is ubiquitous in real-world
situations and arises for many different reasons: congestion
externalities, network effects, mis-coordination, and so on.
It can also be costly or infeasible to eliminate in many situa-
tions, with large networks being one obvious example. The
past ten years have provided an encouraging counterpoint
to this widespread equilibrium inefficiency: in a number of
interesting application domains, decentralized optimiza-
tion by competing individuals provably approximates the
optimal outcome.
A rigorous guarantee of this type requires a formal behav-
ioral model, in order to define “the outcome of self-inter-
ested behavior.” The majority of previous research studies
pure-strategy Nash equilibria, which are defined as follows.
Each player i selects a strategy si from a set Si, like a path in
116 c omm unic atio ns of t h e ac m | JUly 201 2 | vol . 5 5 | no. 7
d oi:10.1145/ 2209249.2 2 0 9 2 74
a network. The cost Ci(s) incurred by a player i in a game is a
function of the entire vector s of players’ chosen strategies,
which is called a strategy profile or an outcome. By definition,
a strategy profile s of a game is a pure Nash equilibrium if no
player can decrease its cost via a unilateral deviation:
Ci(s) ≤ Ci (s′i, s−i )(1)
for every i and si′ ∈ Si, where s−i denotes the strategies cho-
sen by the players other than i in s. These concepts can be
defined equally well via payoff-maximization rather than
cost-minimization; see also Example 2.5.
The price of anarchy (POA) measures the suboptimality
caused by self-interested behavior. Given a game, a notion
of an “equilibrium” (such as pure Nash equilibria), and an
objective function (such as the sum of players’ costs), the
POA of the game is defined as the ratio between the largest
cost of an equilibrium and the cost of an optimal outcome.
An upper bound on the POA has an attractive worst-case fla-
vor: it applies to every possible equilibrium and obviates the
need to predict a single outcome of selfish behavior. Many
researchers have proved remarkably good bounds on the
POA in a wide range of models; see Chapters 17–21 of Nisan
et al.17 and the references therein.
1.1. The need for more robust bounds
A good bound on the price of anarchy of a game is not
enough to conclude that self-interested behavior is rela-
tively benign. Such a bound is meaningful only if a game’s
participants successfully reach an equilibrium. For pure
Nash equilibria, however, there are a number of reasons
why this might not occur: perhaps the players fail to coor-
dinate on one of multiple equilibria, or they are playing
a game in which computing a pure Nash equilibrium is a
computationally intractable problem9 or, even more fun-
damentally, a game in which pure Nash equilibria do not
exist. These critiques motivate worst-case performance
bounds that apply to as wide a range of outcomes as pos-
sible, and under minimal assumptions about how players
play and coordinate in a game.
This article presents a general theory of “robust” bounds
on the price of anarchy. We focus on the hierarchy of
­fundamental equilibrium concepts shown in Figure 1; the
full version22 discusses additional generalizations of pure
Nash equilibria, including approximate equilibria and
The original version of this article was published in the
Proceedings of the 41st Annual ACM Symposium on Theory
of Computing, May 2009.
Figure 1. Generalizations of pure Nash equilibria. “PNE” stands for
pure Nash equilibria, “MNE” for mixed Nash equilibria, “CorEq” for
correlated equilibria, and “No Regret (CCE)” for coarse correlated
equilibria, which are the empirical distributions corresponding to
repeated joint play in which every player has no (external) regret.
Easy to
No Regret (CCE) compute/
learn
CorEq
Always
MNE exists, hard
to compute
PNE Need not
exist, hard
to compute
outcome sequences generated by best-response dynamics.
We formally define the equilibrium concepts of Figure 1—
mixed Nash equilibria, correlated equilibria, and coarse cor-
related equilibria—in Section 3.1, but mention next some of
their important properties.
Enlarging the set of equilibria weakens the behavioral
and technical assumptions necessary to justify equilib-
rium analysis. First, while there are games with no pure
Nash ­ equilibria—“Matching Pennies” being a simple
example—every (finite) game has at least one mixed Nash
equilibrium.16 As a result, the “nonexistence critique” for
pure Nash equilibria does not apply to any of the more gen-
eral concepts in Figure 1. Second, while computing a mixed
Nash equilibrium is in general a computationally intrac-
table problem,5, 8 computing a correlated equilibrium is
not (see, e.g., Chapter 2 of Nisan et al.17). Thus, the “intrac-
tability critique” for pure and mixed Nash equilibria does
not apply to the two largest sets of Figure 1. More impor-
tantly, these two sets are ­“easily learnable”: when a game
is played repeatedly over time, there are natural classes of
learning dynamics—processes by which a player chooses
its strategy for the next time step, as a function only of its
own payoffs and the history of play—that are guaranteed to
converge quickly to these sets of equilibria (see Chapter 4
of Nisan et al.17).
1.2. Overview
Our contributions can be divided into three parts.
(A) We identify a sufficient condition for an upper bound
on the POA of pure Nash equilibria of a game, which
encodes a canonical proof template for deriving such
bounds. We call such proofs “smoothness argu-
ments.” Many of the POA upper bounds in the litera-
ture can be recast as instantiations of this canonical
method.
(B) We prove an “extension theorem”: every bound on
the price of anarchy that is derived via a smooth-
ness argument extends automatically, with no
quantitative degradation in the bound, to all of the
more general equilibrium concepts pictured in
Figure 1.
(C) We prove that routing games, with cost functions
restricted to some arbitrary set, are “tight” in the fol-
lowing sense: smoothness arguments, despite their
automatic generality, are guaranteed to produce opti-
mal worst-case upper bounds on the POA, even for
the set of pure Nash equilibria. Thus, in these classes
of games, the worst-case POA is the same for each of
the equilibrium concepts of Figure 1.
2. SMOOTH GAMES
2.1. Definitions
By a cost-minimization game, we mean a game—players,
strategies, and cost functions—together with the joint cost
objective function . Essentially, a “smooth
game” is a cost-minimization game that admits a POA bound
of a canonical type (a “smoothness argument”). We give the
formal definition and then explain how to interpret it.
Definition 2.1 (Smooth Games): A cost-minimization
game is (λ, m)-smooth if for every two outcomes s and s*,
(2)
Roughly, smoothness controls the cost of a set of “one-
dimensional perturbations” of an outcome, as a function of
both the initial outcome s and the perturbations s*.
We claim that if a game is (λ, m)-smooth, with λ > 0 and
m < 1, then each of its pure Nash equilibria s has cost at most
λ/(1 − m) times that of an optimal solution s*. In proof, we
derive
(3)
(4)
(5)
where (3) follows from the definition of the objective func-
tion; inequality (4) follows from the Nash equilibrium condi-
tion (1), applied once to each player i with the hypothetical
deviation s*i ; and inequality (5) follows from the defining
condition (2) of a smooth game. Rearranging terms yields
the claimed bound.
Definition 2.1 is sufficient for the last line of this three-
line proof (3)–(5), but it insists on more than what is needed:
it demands that the inequality (2) hold for every outcome s,
and not only for Nash equilibria. This is the basic reason why
smoothness arguments imply worst-case bounds beyond
the set of pure Nash equilibria.
JUly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t h e acm 117
research highlights
We define the robust POA as the best upper bound on the
POA that is provable via a smoothness argument.
Definition 2.2 (Robust POA): The robust price of anarchy of
a cost-minimization game is
with m always constrained to be less than 1.
Remark 2.3 (Variations on Smoothness): Examining the
three-line proof (3)–(5) reveals that the assumptions can be
weakened in two ways. First, the assumption that the objec-
tive function satisfies can be replaced by the
assumption ; we exploit this in Example 2.5
below. Second, in Definition 2.1, the inequality (2) only
needs to hold for all outcomes s and some optimal solution
s*, rather than for all pairs s, s* of outcomes. This relaxation
is useful in some applications.4, 23
Finally, there is an analogous definition of smooth games
for maximization objectives; see Example 2.5.
2.2. Intuition
Smoothness arguments should be interpreted as a class of
upper bound proofs for the POA of pure Nash equilibria that
are confined to use the equilibrium hypothesis in a minimal
way. To explain, recall the canonical three-line proof (3)–(5).
The first inequality (4) uses the Nash equilibrium hypothesis,
but only to justify why each player i selects its equilibrium
strategy si rather than its strategy s*i  in the optimal outcome. If
we care only about the POA of pure Nash equilibria, then we
are free to invoke the Nash equilibrium hypothesis again to
prove the second inequality (5) or, more generally, to establish
an upper bound using any argument that we please. Using a
smoothness argument—that is, proving inequality (5) for all
outcomes s—is tantamount to discarding the Nash equilib-
rium hypothesis after it is used to justify the first inequality (4).
2.3. Two examples
Concern about the range of applicability of a definition
grows as its interesting consequences accumulate. Given
that smoothness arguments enable the extension theorem
discussed in Section 1.2, how many games can be (λ,  m)-
smooth with interesting values of λ, m? To alleviate such
fears and add some concreteness to the discussion, we next
single out two well-known POA analyses that can be recast as
smoothness arguments. More generally, many but not all of
the known price of anarchy bounds follow from smoothness
proofsa; see the full version22 for a detailed discussion.
The first example is a special class of congestion games;
Section 4 studies the general case in detail. The second exam-
ple concerns Vetta’s well-studied utility games,25 and also
a
  The most common reason that a price of anarchy bound fails to qualify as
a smoothness proof is that the Nash equilibrium hypothesis is invoked for a
hypothetical deviation s*i that is a function of the other players’ equilibrium
actions s–i. In most of these cases, it is also known that the worst-case POA of
mixed Nash equilibria is strictly worse than that of pure Nash equilibria, and
hence no lossless extension theorem exists.
118 c om munic atio ns of t h e ac m | JUly 201 2 | vo l . 5 5 | no. 7
illustrates how smoothness arguments can be defined and
used in payoff-maximization games, and also with a “one-
sided” variant of sum objective functions (cf., Remark 2.3).
Example 2.4 (Atomic Congestion Games): A congestion
game is a cost-minimization game defined by a ground set E
or resources, a set of k players with strategy sets S1, . . . , Sk ⊆ 2E,
and a cost function ce: Z+ → R for each resource e  E.20 In
this article, we always assume that cost functions are non-
negative and nondecreasing. A canonical example is routing
games, where E is the edge set of a network, and the strategies
of a player correspond to paths between its source and sink
vertices. Given a strategy profile s = (s1, . . . , sk), with si ∈ Si for
each i, we say that xe = |{i : e ∈ si}| is the load induced on e by
s, defined as the number of players that use it in s. The cost
to player i is defined as , where x is the vector
of loads induced by s. For this example, we assume that every
cost function is affine, meaning that ce(x) = aex + be with ae, be ≥
0 for every resource e ∈ E.
We claim that every congestion game with affine cost
functions is (5/3, 1/3)-smooth. The basic reason for this was
identified by Lemma 1 of Christodoulou and Koutsoupias,7
who noted that
for all nonnegative integers y, z. Thus, for all a, b ≥ 0 and
nonnegative integers y, z,
(6)
To establish smoothness, consider a pair s, s* of outcomes of
a congestion game with affine cost functions, with induced
loads x, x*. Since the number of players using resource e in
the outcome (s*i , s–i ) is at most one more than that in s, and
this resource contributes to precisely x*e terms of the form
Ci (s*i , s−i ), we have
(7)
where (7) follows from (6), with x*e and xe playing the roles of y
and z, respectively. The canonical three-line argument (3)–(5)
then implies an upper bound of 5/2 on the POA of pure Nash
equilibria in every congestion game with affine cost func-
tions. This fact was first proved independently in Awerbuch
et al.2 and Christodoulou and Koutsoupias,7 where matching
lower bounds were also supplied. Our extension theorem
(Theorem 3.1) implies that the bound of 5/2 extends to the
other three sets of outcomes shown in Figure 1. These exten-
sions were originally established in two different papers3, 6
subsequent to the original POA bound.2, 7
Example 2.5 (Valid Utility Games): Our final example
concerns a class of games called valid utility games.25 These
games are naturally phrased as payoff-maximization games,
where each player has a payoff function Pi(s) that it strives to
maximize. We use P to denote the objective function of a pay-
off-maximization game. We call such a game (λ, m)-smooth if
for every pair s, s* of outcomes. A derivation similar to (3)–(5)
shows that, in a (λ, m)-smooth payoff-maximization game,
the objective function value of every pure Nash equilibrium
is at least a λ/(1 + m) fraction of the maximum possible. We
define the robust POA of a payoff-maximization game as
the supremum of λ/(1 + m) over all legitimate smoothness
parameters (λ, m).
A valid utility game is defined by a ground set E, a nonneg-
ative submodular function V defined on subsets of E, and a
strategy set Si ⊆ 2E and a payoff function Pi for each player
i  =  1, 2, . . . , k.b For example, the set E could denote a set of
locations where facilities can be built, and a strategy si ⊆ E
could denote the locations at which player i chooses to build
facilities. For an outcome s, let U(s) ⊆ E denote the union
of players’ strategies in s. The objective function value
of an outcome s is defined as P(s) = V(U(s)). Furthermore,
the definition requires that two conditions hold: (i) for each
player i, Pi(s) ≥ V(U(s)) − V(U(0/, s−i )) for every outcome s; and
(ii) for every outcome s. One concrete exam-
ple of such a game is competitive facility location with price-
taking markets and profit-maximizing firms.25
We claim that every valid utility game with a nondecreas-
ing objective function V is (1, 1)-smooth. The proof is essen-
tially a few key inequalities from Theorem 3.2 of Vetta25, as
follows. Let s, s* denote arbitrary outcomes of a valid utility
game with a nondecreasing objective function. Let Ui  ⊆ E
denote the union of all of the players’ strategies in s, together
with the strategies employed by players 1, 2, . . . , i in s*.
Applying condition (i), the submodularity of V, and the non-
decreasing property of V yields
as desired. This smoothness argument implies a lower
bound of 1/2 on the POA of pure Nash equilibria in every
valid utility game with a nondecreasing objective function—
a result first proved in Vetta,25 along with a matching upper
bound. Our extension theorem shows that this lower bound
applies more generally to all of the equilibria depicted in
Figure 1, a fact first established in Blum et al.3
3. AN EXTENSION THEOREM
This section states and proves the extension theorem dis-
cussed in Section 1.2: every POA bound on pure Nash
equilibria derived from a smoothness argument extends
b
  A set function V : 2E → R is submodular if V(X ∩ Y) + V(X ∪ Y) ≤ V(X) + V(Y )
for every X, Y ⊆ E.
automatically to the more general equilibrium concepts in
Figure 1 and to the corresponding outcome sequences in
games played over time. Several less direct consequences
of smoothness arguments are discussed in the full ver-
sion.22 We work with cost-minimization games, though
similar results hold for smooth payoff-maximization games
(cf., Example 2.5).
3.1. Static equilibrium concepts
We begin with implications of Definition 2.1 for random-
ized equilibrium concepts in one-shot games; the next sec-
tion treats outcome sequences generated by repeated play.
A set (s1, . . . , sk) of independent probability distributions
over strategy sets—one per player of a cost-minimization
game—is a mixed Nash equilibrium of the game if no player
can decrease its expected cost under the product distribu-
tion s = s1 × . . . × sk via a unilateral deviation:
Ess   [Ci(s)] ≤ Es s [Ci(s′i , s−i)]
−i −i
for every i and s′i, ∈Si, where s−i is the product distribution
of all sj’s other than si. (By linearity, it suffices to consider
only pure-strategy unilateral deviations.) Obviously, every
pure Nash equilibrium is a mixed Nash equilibrium and not
conversely; indeed, many games have no pure Nash equilib-
rium, but every finite game has a mixed Nash equilibrium.16
A correlated equilibrium of a cost-minimization game G
is a (joint) probability distribution s over the outcomes of G
with the property that
Ess [Ci(s)½si] ≤ Ess [Ci(s′i , s−i)½si](8)
for every i and si, s′i ∈Si. A classical interpretation of a corre-
lated equilibrium is in terms of a mediator, who draws an
outcome s from the publicly known distribution s and pri-
vately “recommends” strategy si to each player i. The equi-
librium condition requires that following a recommended
strategy always minimizes the expected cost of a player, con-
ditioned on the recommendation. Mixed Nash equilibria
are precisely the correlated equilibria that are also product
distributions. Correlated equilibria have been widely stud-
ied as strategies for a benevolent mediator, and also because
of their relative tractability. Because the set of correlated
equilibria is explicitly described by a small set of linear
inequalities, computing (and even optimizing over) corre-
lated equilibria can be done in time polynomial in the size of
the game (see, e.g., Chapter 2 of Nisan et al.17). They are also
relatively “easy to learn,” as discussed in the next section.
Finally, a coarse correlated equilibrium of a cost-minimi-
zation game is a probability distribution s over outcomes
that satisfies
Esσ[Ci(s)] ≤ Esσ [Ci(s′i , s−i)](9)
for every i and s′i, ∈si. While a correlated equilibrium (8) pro-
tects against deviations by players aware of their recom-
mended strategy, a coarse correlated equilibrium (9) is only
constrained by player deviations that are independent of the
sampled outcome. Since every correlated equilibrium is also
JUly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t h e acm 119
research highlights
a coarse correlated equilibrium, coarse correlated equilibria
are “even easier” to compute and learn, and are thus a still
more plausible prediction for the realized play of a game.
We now give our extension theorem for equilibrium
concepts in one-shot games: every POA bound proved via a
smoothness argument extends automatically to the set of
coarse correlated equilibria. With the “correct” definitions
in hand, the proof writes itself.
Theorem 3.1 (Extension Theorem—Static Version)
For every cost-minimization game G with robust POA r(G), every
coarse correlated equilibrium s of G, and every outcome s* of G,
Esσ[C(s)] ≤ r(G) · C(s*).
Proof: Let G be a (λ, m)-smooth cost-minimization game, s
a coarse correlated equilibrium, and s* an outcome of G. We
can write
(10)
(11)
(12)
(13)
(14)
(15)
where equality (10) follows from the definition of the
­objective function, equalities (11), (13), and (15) follow from
linearity of expectation, inequality (12) follows from the
­definition (9) of a coarse correlated equilibrium (applied
once per player, with the hypothetical deviation s*i ), and
inequality (14) follows from the assumption that the game is
(λ, m)-smooth. Rearranging terms completes the proof.  
3.2. Repeated play and no-regret sequences
The extension theorem (Theorem 3.1) applies equally well
to certain outcome sequences generated by repeated play,
because of a well-known correspondence between such
sequences and static equilibrium concepts. To illustrate
this point, consider a sequence s1, s2, . . . , sT of outcomes of a
(λ, m)-smooth game and a minimum-cost outcome s* of the
game. For each i and t, define
(16)
as the hypothetical improvement in player i’s cost at time t
had it used the strategy s*i in place of sti. When st is a Nash equi-
librium, di(st) cannot be positive; for an arbitrary outcome st,
120 c omm unicatio ns o f th e ac m | JUly 201 2 | vo l. 5 5 | no. 7
di(st) can be positive or negative. We can mimic the deriva-
tion in (3)–(5) to obtain
(17)
for each t.
Suppose that every player i experiences vanishing average
(external) regret, meaning that its cost over time is competitive
with that of every time-invariant strategy:
(18)
Repeating the same pure Nash equilibrium over and over
again yields a degenerate example, but in general such
sequences can exhibit highly oscillatory behavior over arbi-
trarily large time horizons (see, e.g., Blum et al.3 and Kleinberg
et al.13).
Averaging (17) over the T time steps and reversing the
order of the resulting double summation yields
(19)
Recalling from (16) that di(st) is the additional cost incurred
by player i at time t due to playing strategy sti instead of the
(time-invariant) strategy s*i , the no-regret guarantee (18)
implies that is bounded above by a term
that goes to 0 with T. Since this holds for every player i,
inequality (19) implies that the average cost of outcomes
in the sequence is no more than the robust POA times the
minimum-possible cost, plus an error term that approaches
zero as T → ∞.
Theorem 3.2 (Extension Theorem—Repeated Version)
For every cost-minimization game G with robust POA r(G), every
outcome sequence s 1, . . . , s T that satisfies (18) for every player,
and every outcome s*of G,
as T → ∞.
Blum et al.3 were the first to consider bounds of this type,
calling them “the price of total anarchy.”
We reiterate that the type of bound in Theorem 3.2 is sig-
nificantly more compelling, and assumes much less from
both the game and its participants, than the one that applies
only to Nash equilibria. While Nash equilibria can be intrac-
table or impossible to find, there are several computation-
ally efficient “off-the-shelf” learning algorithms with good
convergence rates that are guaranteed, in any game, to gen-
erate outcome sequences with vanishing average regret (see,
e.g., Chapter 4 of Nisan et al.17). Of course, the guarantee in
Theorem 3.2 makes no reference to which learning algo-
rithms (if any) the players’ use to play the game—the bound
applies whenever repeated joint play has low regret, whatever
the reason.
Remark 3.3 (Theorems 3.1 and 3.2): Theorems 3.1 and 3.2
are essentially equivalent, in that either one can be derived
from the other. The reason is that the set of coarse correlated
equilibria of a game is precisely the closure of the empirical
distributions of (arbitrarily long) sequences in which every
player has nonpositive average regret.
Remark 3.4 (Correlated Equilibria and Swap Regret)
There is a more stringent notion of regret—swap regret—
under which there is an analogous correspondence between
the correlated equilibria of a game and the outcome
sequences in which every player has nonpositive (swap)
regret. There are also computationally efficient “off the
shelf” learning algorithms that guarantee each player van-
ishing average swap regret in an arbitrary game.10, 12
4. CONGESTION GAMES ARE TIGHT
The worst-case POA for a set of allowable outcomes can only
increase as the set grows bigger. This section proves that, in
congestion games with restricted cost functions, the worst-
case POA is exactly the same for each of the equilibrium
concepts of Figure 1. We prove this by showing that smooth-
ness arguments, despite their automatic generality, provide
a tight bound on the POA, even for pure Nash equilibria.
More precisely, let G denote a set of cost-minimization
games, and assume that a nonnegative objective function
has been defined on the outcomes of these games. Let A(G)
denote the parameter values (λ, m) such that every game of
G is (λ, m)-smooth. Let  ⊆ G denote the games with at least
one pure Nash equilibrium, and rpure(G) the POA of pure
Nash equilibria in a game G ∈ . The canonical three-line
proof (3)–(5) shows that for every (λ, m) ∈A(G) and every G ∈
, rpure(G) ≤ λ/(1 − m). We call a set of games tight if equality
holds for suitable choices of (λ, m) ∈A(G) and G ∈ .
Definition 4.1 (Tight Class of Games): A set G of games
is tight if
(20)
The right-hand side of (20) is the best worst-case upper bound
provable via a smoothness argument, and it applies to all of
the sets shown in Figure 1. The left-hand side of (20) is the
actual worst-case POA of pure Nash equilibria in G—corre-
sponding to the smallest set in Figure 1—among games with
at least one pure Nash equilibrium. That the left-hand side is
trivially upper bounded by the right-hand side is reminiscent
of “weak duality.” Tight classes of games are characterized by
the min-max condition (20), which can be loosely interpreted
as a “strong duality-type” result.c In a tight class of games,
every valid upper bound on the worst-case POA of pure Nash
equilibria is superseded by a suitable smoothness argument.
Thus, every such bound—whether or not it is proved using
a smoothness argument—is “intrinsically robust,” in that it
applies to all of the sets of outcomes in Figure 1.
c
  See Nadav and Roughgarden15 for a formal treatment of the duality between
equilibrium concepts and POA bounds.
Recall from Example 2.4 the definition of and notation for
congestion games. Here, we consider arbitrary nonnegative
and nondecreasing cost functions ce. The worst-case POA in
congestion games depends on the “degree of nonlinearity”
of the allowable cost functions. For example, for polynomial
cost functions with nonnegative coefficients and degree at
most d, the worst-case POA in congestion games is finite but
exponential in d.1, 2, 7, 18
Example 2.4 shows that, if G is the set of congestion
games with affine cost functions, then the right-hand side
of (20) is at most 5/2. Constructions in Awerbuch et al.2 and
Christodoulou and Koutsoupias7 show that the left-hand
side of (20) is at least 5/2 for this class of games. Thus, con-
gestion games with affine cost functions form a tight class.
Our final result shows that this fact is no fluke.
theorem 4.2: For every non-empty set C of nondecreasing,
­ ositive cost functions, the set of congestion games with cost
p
functions in C is tight.
In addition to showing that smoothness arguments always
give optimal POA bounds in congestion games, this result
and its proof imply the first POA bounds of any sort for
congestion games with nonpolynomial cost functions, and
the first structural characterization of universal worst-case
examples for the POA in congestion games.
The proof of Theorem 4.2 is technical and we provide only
a high-level outline; the complete proof can be found in the
full version.22 For the following discussion, fix a set C of cost
functions. The first step is to use the fact that, in a conges-
tion game, the objective function and players’ cost functions
are additive over the resources E. This reduces the search for
parameters (λ, m) that satisfy condition (2) of Definition 2.1—
which imposes one constraint for every congestion game
with cost functions in C, and every pair s, s* of outcomes in
that game—to the search for parameters (λ, m) that satisfy
(21)
for every cost function c ∈ C, nonnegative integer x, and posi-
tive integer x*. This condition is the same as (6) in Example 2.4
for the case where C is the set of affine cost functions.
The second step of the proof is to understand the
­optimization problem of minimizing the objective function
λ/(1 − m) over the “feasible region” A(C), where A(C) denotes
the set of values (λ, m) that meet the condition (21) above.
This optimization problem is almost the same as the right-
hand side of (20), and it has several nice properties. First,
there are only two decision variables—λ and m—so A(C) is
contained in the plane. Second, while there are an infinite
number of constraints (21), each is linear in λ and m. Thus,
A(C) is the intersection of halfplanes. Third, the objective
function λ/(1 − m) is decreasing is both decision variables.
Thus, ignoring some edge cases that can be handled sepa-
rately, the choice of (λ, m) that minimizes the objective func-
tion lies on the “southwestern boundary” of A(C), and can
be characterized as the unique point of A(C) that satisfies
with equality a particular pair of constraints of the form (21).
The third and most technical part of the proof is to show a
JUly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i c at ion s o f t h e acm 121
research highlights
matching lower bound on the left-hand side of (20). The intui­
tion behind the construction is to arrange a congestion game
in which each player has two strategies, one that uses a small
number of resources, and the other a disjoint strategy that
uses a large number of resources. In the optimal outcome,
all players use their small strategies and incur low cost. (This
outcome is also a pure Nash equilibrium.) In the suboptimal
pure Nash equilibrium, all players use their large strategies,
thereby “flooding” all resources and incurring a large cost.
How can this suboptimal outcome persist as a Nash equilib-
rium? If one player deviates unilaterally, it enjoys the benefit of
fewer resources in its strategy, but each of these new resources
now has load one more than that of each of the resources it
was using previously. Implemented optimally, this construc-
tion produces a congestion game and a pure Nash equilibrium
of it with cost a λ/(1 − m) factor larger than that of the optimal
outcome, where (λ, m) are the optimal smoothness parameters
identified in the second step of the proof.
Remark 4.3 (poa bounds for all cost functions)
Theorem 4.2 gives the first solution to the worst-case POA in
congestion games with cost functions in an arbitrary set C. Of
course, precisely computing the exact value of the worst-case
POA is not trivial, even for simple sets C. Arguments in Aland
et al.1 and Olver18 imply a (complex) closed-form expression for
the worst-case POA when C is a set of polynomials with non-
negative coefficients. Similar computations should be possi-
ble for some other simple sets C. More broadly, the second and
third steps of the proof of Theorem 4.2 indicate how to numer-
ically produce good upper and lower bounds, respectively, on
the worst-case POA when there is a particular set C of interest.
Remark 4.4 (worst-Case Congestion Games): The
details of the construction in the third step of the proof of
Theorem 4.2 show that routing games on a bidirected cycle
are universal worst-case examples for the POA, no matter what
the allowable set of cost functions. This corollary is an analog
of a simpler such sufficient condition for nonatomic conges-
tion games—where there is a continuum of players, each of
negligible size—in which, under modest assumptions on C,
the worst-case POA is always achieved in two-node two-link
networks.21
5. FURTHER RELATED WORK
The price of anarchy was first studied in Koutsoupias and
Papadimitriou14 for makespan minimization in scheduling
games. This is not a sum objective function, and the worst-
case POA in this model was immediately recognized to be
different for different equilibrium concepts.3, 14 See Chapter
20 of Nisan et al.17 for a survey of the literature on this model.
The POA with a sum objective was first studied in Rough­
garden and Tardos24 for nonatomic selfish routing games.
The first general results on the POA of pure Nash equilibria
for (atomic) congestion games and their weighted variants
are in Awerbuch et al.2 and Christodoulou and Koutsoupias,7
which gave tight bounds for games with affine cost functions
and reasonably close upper and lower bounds for games with
polynomial cost functions with nonnegative coefficients;
matching upper and lower bounds for the latter class were later
122 co m munic atio ns o f t h e acm | JUly 201 2 | vo l . 5 5 | no. 7
given independently in Aland et al.1 and Olver.18
Many previous works recognized the possibility of and
motivation for more general POA bounds. The underlying
bound on the POA of pure Nash equilibria can be formulated
as a smoothness argument in almost all of these cases, so our
extension theorem immediately implies, and often strength-
ens, these previously proved robust bounds. Specifically, Aland
et al.,1 Awerbuch et al.,2 Christodoulou and Koutsoupias,7 and
Vetta25 each observe that their upper bounds on the worst-case
POA of pure Nash equilibria carry over easily to mixed Nash
equilibria. In Christodoulou and Koutsoupias,6 the worst-case
POA of correlated equilibria is shown to be the same as that
for pure Nash equilibria in unweighted and weighted conges-
tion games with affine cost functions. Blum et al.3 rework and
generalize several bounds on the worst-case POA of pure Nash
equilibria to show that the same bounds hold for the average
objective function value of no-regret sequences. Their applica-
tions include valid utility games25 and the (suboptimal) bounds
of Awerbuch et al.2 and Christodoulou and Koutsoupias7 for
unweighted congestion games with polynomial cost func-
tions, and also a constant-sum location game and a fairness
objective, which falls outside of our framework.
Versions of our two-parameter smoothness definition
are implicit in a few previous papers, in each case for a spe-
cific model and without any general applications to robust
POA guarantees: Perakis19 for a nonatomic routing model
with nonseparable cost functions, Christodoulou and
Koutsoupias6 for congestion games with affine cost func-
tions, and Harks11 for splittable congestion games.
6. CONCLUSION
Pure-strategy Nash equilibria—where each player deter-
ministically picks a single strategy—are often easier to rea-
son about than their more general cousins like mixed Nash
equilibria, correlated equilibria, and coarse correlated equi-
libria. On the other hand, inefficiency guarantees for more
general classes of equilibria are crucial for several reasons:
pure Nash equilibria do not always exist; they can be intrac-
table to compute, even when they are guaranteed to exist;
and even when efficiently computable by a centralized algo-
rithm, they can elude natural learning dynamics.
This article presented an extension theorem, which auto-
matically extends, in “black-box” fashion, price of anarchy
bounds for pure Nash equilibria to the more general equilib-
rium concepts listed above. Such an extension theorem can
only exist under some conditions, and the key idea is to restrict
the method of proof used to bound the price of anarchy of pure
Nash equilibria. We defined smooth games to formalize a
canonical method of proof, in which the Nash equilibrium
hypothesis is used in only a minimal way, and proved an exten-
sion theorem for smooth games. Many of the games in which
the price of anarchy has been studied are smooth games in
our sense.d For the fundamental model of congestion games
with arbitrarily restricted cost functions, we proved that this
d
  Since the conference version of this article, the definition of smooth games
has been refined and extended in several ways, and new smoothness argu-
ments have been discovered for a number of interesting models. See the full
version22 for details and references.
canonical proof method is guaranteed to produce an opti- and collusion in network games Cambridge University Press, 2007.
with splittable flow. Proceedings of 18. Olver, N. The price of anarchy and a
mal upper bound on the worst-case POA. In this sense, POA the 6th International Workshop on priority-based model of routing.
bounds for congestion games are “intrinsically robust.” Approximation and Online Algorithms M.S. thesis, McGill University (2006).
(WAOA’08), E. Bampis and 19. Perakis, G. The “price of anarchy”
M. Skutella, eds. Volume 5426 of under nonlinear and asymmetric costs.
Acknowledgments LNCS (2008), 133–146. Math. Oper. Res. 32, 3 (2007), 614–628.
12. Hart, S., Mas-Colell, A. A simple 20. Rosenthal, R.W. A class of games
This research was supported in part by NSF CAREER Award adaptive procedure leading to possessing pure-strategy Nash
CCF-0448664, an ONR Young Investigator Award, an AFOSR correlated equilibria. Econometrica equilibria. Int. J. Game Theor. 2, 1
68, 5 (2000), 1127–1150. (1973), 65–67.
MURI grant, and an Alfred P. Sloan Fellowship. 13. Kleinberg, R.D., Piliouras, G., Tardos, É. 21. Roughgarden, T. The price of anarchy
Multiplicative updates outperform is independent of the network
generic no-regret learning in congestion topology. J. Comput. Syst. Sci. 67, 2
References 6. Christodoulou, G., Koutsoupias, E. games. In Proceedings of the 41st (2003), 341–364.
1. Aland, S., Dumrauf, D., Gairing, M., On the price of anarchy and stability Annual ACM Symposium on Theory of 22. Roughgarden, T. Intrinsic robustness
Monien, B., Schoppmann, F. Exact of correlated equilibria of linear Computing (STOC) (2009), 533–542. of the price of anarchy. In 41st ACM
price of anarchy for polynomial congestion games. In Proceedings 14. Koutsoupias, E., Papadimitriou, C.H. Symposium on Theory of Computing
congestion games. SIAM J. Comput. of the 13th Annual European Worst-case equilibria. In Proceedings (STOC) (2009), 513–522.
40, 5 (2011), 1211–1233. Symposium on Algorithms (ESA), of the 16th Annual Symposium on 23. Roughgarden, T. The price of anarchy
2. Awerbuch, B., Azar, Y., Epstein, A. The volume 3669 of Lecture Notes in Theoretical Aspects of Computer in games of incomplete information.
price of routing unsplittable flow. In Computer Science (2005), 59–70. Science (STACS), volume 1563 of In 13th ACM Conference on
Proceedings of the 37th Annual ACM 7. Christodoulou, G., Koutsoupias, E. The Lecture Notes in Computer Science Electronic Commerce (EC)
Symposium on Theory of Computing price of anarchy of finite congestion (1999), 404–413. (2012).
(STOC) (2005), 57–66. games. In Proceedings of the 37th 15. Nadav, U., Roughgarden, T. The 24. Roughgarden, T., Tardos, É. How
3. Blum, A., Hajiaghayi, M., Ligett, K., Annual ACM Symposium on Theory of limits of smoothness: A primal-dual bad is selfish routing? J. ACM 49, 2
Roth, A. Regret minimization and the Computing (STOC) (2005), 67–73. framework for price of anarchy (2002), 236–259.
price of total anarchy. In Proceedings 8. Daskalakis, C., Goldberg, P.W., bounds. In The 6th International 25. Vetta, A. Nash equilibria in
of the 40th Annual ACM Symposium Papadimitriou, C.H. The complexity of Workshop on Internet and Network competitive societies, with
on Theory of Computing (STOC) computing a Nash equilibrium. SIAM Economies (WINE) (2010), 319–326. applications to facility location, traffic
(2008), 373–382. J. Comput. 39, 1 (2009), 195–259. 16. Nash, J.F. Equilibrium points in routing and auctions. In Proceedings
4. Caragiannis, I., Kaklamanis, C., 9. Fabrikant, A., Papadimitriou, C.H., N-person games. Proc. Natl. Acad. Sci. of the 43rd Annual Symposium on
Kanellopoulos, P., Kyropoulou, M., Talwar, K. The complexity of pure Nash 36, 1 (1950), 48–49. Foundations of Computer Science
Lucier, B., Leme, R.P., Tardos, É. On the equilibria. In Proceedings of the 36th 17. Nisan, N., Roughgarden, T.,Tardos, É., (FOCS) (2002), 416–425.
efficiency of equilibria in generalized Annual ACM Symposium on Theory of Vazirani, V., eds. Algorithmic Game Theory.
second price auctions. Submitted Computing (STOC) (2004), 604–612.
2012. Earlier versions appeared in 10. Foster, D., Vohra, R. Calibrated
FOCS, ’10 and EC, ’11. learning and correlated equilibrium. Tim Roughgarden (

[email protected].
5. Chen, X., Deng, X., Teng, S.H. Settling Game Econ. Behav. 21(1–2) (1997), edu), Stanford University, Stanford, CA.
the complexity of two-player Nash 40–55.
equilibria. J. ACM 56, 3 (2009). 11. Harks, T. Stackelberg strategies © 2012 ACM 0001-0782/12/07 $15.00

World-Renowned Journals from ACM

ACM publishes over 50 magazines and journals that cover an array of established as well as emerging areas of the computing field.
IT professionals worldwide depend on ACM's publications to keep them abreast of the latest technological developments and industry
news in a timely, comprehensive manner of the highest quality and integrity. For a complete listing of ACM's leading magazines & journals,
including our renowned Transaction Series, please visit the ACM publications homepage: www.acm.org/pubs.

ACM Transactions ACM Transactions

on Interactive on Computation
Intelligent Systems PLEASE CONTACT ACM MEMBER
Theory SERVICES TO PLACE AN ORDER
Phone: 1.800.342.6626 (U.S. and Canada)
+1.212.626.0500 (Global)
Fax: +1.212.944.1318
(Hours: 8:30am–4:30pm, Eastern Time)
Email: [email protected]
Mail: ACM Member Services
General Post Office
PO Box 30777
New York, NY 10087-0777 USA

ACM Transactions on Interactive ACM Transactions on Computation

Intelligent Systems (TIIS). This
quarterly journal publishes papers
on research encompassing the
design, realization, or evaluation of
interactive systems incorporating
some form of machine intelligence.
Theory (ToCT). This quarterly peer-
reviewed journal has an emphasis
on computational complexity, foun-
dations of cryptography and other
computation-based topics in theo-
retical computer science. www.acm.org/pubs

PUBS_halfpage_Ad.indd 1 6/7/12 11:38 AM

JUly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t h e ac m 123
careers

University of South Carolina Upstate

Assistant Professor of Computer Science –
Requisition #004744

The Division of Mathematics and Computer Sci- Advertising in Career Opportunities

ence has a tenure-track Assistant Professor of
Computer Science position beginning 1/1/2013 How to Submit a Classified Line Ad: Send an e-mail to
to teach undergraduate courses in computer sci-
[email protected]

. Please include text, and indicate the
ence, develop curriculum, engage in scholarly ac-
tivities, advise students.
PhD in Computer Science or closely related
field and excellent communication skills re-
quired. Prefer research interest in one of the fol-
lowing areas: Networking and Computer Secu-
rity, Software Engineering, Database, Robotics.
Review of applications begins immediately
issue/or issues where the ad will appear, and a contact name and number.
Estimates: An insertion order will then be e-mailed back to you. The ad will
by typeset according to CACM guidelines. NO PROOFS can be sent. Classified
line ads are NOT commissionable.
Rates: $325.00 for six lines of text, 40 characters per line. $32.50 for each
additional line after the first six. The MINIMUM is six lines.
Deadlines: 20th of the month/2 months prior to issue date. For latest deadline
info, please contact:

[email protected]

and continues until position is filled. For com-
plete information, requirements and online ap-
plication submission process, go to www.uscup-
state.edu/jobs. Contact: Dr. Jerome Lewis, Chair,
Career Opportunities Online: Classified and recruitment display ads receive a
free duplicate listing on our website at: http://jobs.acm.org
Ads are listed for a period of 30 days. For More Information Contact:

[email protected].
USC Upstate is an equal ACM Media Sales at 212-626-0686 or [email protected]
opportunity institution.

ISTFELLOW
IST AuSTrIA IS lookIng for PoSTDoCTorAl fElloWS
IST Austria (Institute of Science and Technology Austria) invites applications for
postdoctoral fellows in all fields of the natural and mathematical sciences and related
disciplines.
The Institute, which is on the outskirts of Vienna, was established by the Austrian government with
a focus on basic research. IST Austria has English as its working language, and its Graduate School
awards PhD degrees. It has an international mix of scientists chosen solely on the basis of their
individual excellence and potential contribution to research.
The Institute has set up a program for exceptional postdoctoral researchers partially funded by the
European Union. Appointments will be for 2–4 years. Applications will be accepted at any time, but
fellows will be selected twice a year in October and April. The deadlines for each selection are
the 15th of September and March, respectively. Applicants must have the support of one or more
Professors or Assistant Professors of IST Austria who will host them in their research group.
The Institute offers an internationally competitive salary, full social security coverage, and additional
benefits.

For further information about the program and the online application
process, please refer to the ISTFELLOW website: http://ist.ac.at/istfellow
IST Austria values diversity and is committed to equality. Female researchers are encouraged to apply.

124 c o m municatio ns o f th e ac m | j u ly 201 2 | vo l . 5 5 | no. 7

 THE UNIVERSITY OF TENNESSEE, KNOXVILLE
HEAD, DEPARTMENT OF ELECTRICAL ENGINEERING & COMPUTER SCIENCE
Applications and nominations are invited for the position of Professor and Head of the Department of Electrical Engineering and Computer
Science (EECS) at the University of Tennessee, Knoxville (UTK). EECS is housed in a new $37.5 million teaching and research facility completed
in 2012. The department currently has an enrollment of over 500 undergraduate and 220 graduate students, with a faculty of 40, and research
expenditures that exceed $12 million per year. The department was awarded an NSF Engineering Research Center in 2011 focusing on Wide
Area Control of Power Transmission and also houses the Center for Information Technology Research which is one of nine UTK Centers of
Excellence. The College of Engineering is a leading research institution with strong research partnerships with organizations such as the nearby
Oak Ridge National Laboratory.
Primary responsibilities of the department head are to provide visionary leadership; to encourage excellence and innovation in research,
teaching, and service; to advance professional development of faculty, staff and students; to promote productive relationships with all
constituents including students, parents, alumni, industry and government agencies; and to foster productive interdisciplinary relationships
with a variety of entities across the University community. The next department head will have the opportunity to critically shape the future of
the department through strategic hires and Governor’s Chairs in key areas.
Applicants must hold a doctorate degree in electrical engineering, computer engineering, computer science or other closely related field and be
eligible for appointment at the rank of full Professor. Commitment to and knowledge of affirmative action, equal employment opportunity and
diversity are required. The successful candidate must also have a balanced perspective on research and teaching, as well as the vision and
ability to lead a faculty representing a diversified range of interests. Demonstrated excellence in research, technical leadership, management,
and graduate and undergraduate teaching is preferred.
The Knoxville campus of the University of Tennessee is seeking candidates who have the ability to contribute in meaningful ways to the
diversity and intercultural goals of the University. The University welcomes and honors people of all races, genders, creeds, cultures, and
sexual orientations, and values intellectual curiosity, pursuit of knowledge, and academic freedom and integrity. Applications should be
submitted electronically following instructions found at http://jobs.eecs.utk.edu/DeptHead12. Applications should include 1) a curriculum vitae,
2) a statement that addresses both the applicant’s leadership experience/philosophy, and the applicant’s vision for the future of research and
education in the EECS Department, and 3) the full names, postal and email addresses, and telephone numbers of five references. Review of
applications will begin on July 1, 2012, and continue until the position is filled.
The University of Tennessee is an EEO/AA/Title VI/Title IX/Section 504/ADA/ADEA institution in the provision of its education and employment
programs and services. All qualified applicants will receive equal consideration for employment without regard to race, color, national origin,
religion, sex, pregnancy, marital status, sexual orientation, gender identity, age, physical or mental disability, or covered veteran status.
1981 CR Arrow Circle Ad2x4-F-crops.pdf 5/29/2012 10:08:38 AM

devastating capability, revolutionary advantage

Computing Reviews
C

M
is now at
Y
ComputingReviews.com
CM
We’re a global leader in cyber technologies seeking
professionals to join our team …
MY

CY
• kernel/linux developers
CMY • reverse engineers
K • pen testers

Our salaries and benefits are among the best in the

industry, including flexible hours, generous vacation,
and 100% paid premium health plans.

www.ainfosec.com/careers

A daily snapshot of what is hot and new.

eeo m/f/d/v

ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t h e ac m 125

 tHE ACM A. M. turing AwArd
by the community ◆ from the community ◆ for the community

ACM, Intel, and Google congratulate

JUDEA PEARL
for fundamental contributions to artificial intelligence
through the development of a calculus for probabilistic
and causal reasoning.

“Dr. Pearl’s work provided the original paradigm
case for how to do statistical AI. By placing
structured knowledge representations at the heart
of his work, and emphasizing how these represen-
tations enabled efficient inference and learning,
he showed the field of AI how to build statistical
reasoning systems that were actually telling us
something about intelligence, not just statistics.”
“Judea Pearl is the most prominent advocate for proba-
bilistic models in artificial intelligence. He developed
mathematical tools to tackle complex problems that
handle uncertainty. Before Pearl, AI systems had more
success in black and white domains like chess. But robot-
ics, self-driving cars, and speech recognition deal with
uncertainty. Pearl enabled these applications to flourish,
and convinced the field to adopt these techniques.”

Limor Fix Alfred Spector

Director, University Collaborative Research Group Vice President, Research and Special Initiatives
Intel Labs Google Inc.

For more information see www.intel.com/research. For more information, see http://www.google.com/corporate/
index.html and http://research.google.com/.

Financial support for the ACM A. M. Turing Award is provided by Intel Corporation and Google Inc.

[c on t i n u e d fro m p. 128] Again the
man walked past the department-
store window. Slowed down, the gaze-
tracker showed his eye alight on a
hem here, the hip-tilt on a mannequin
there, a neckline farther along.
“This is creepy,” said Mallory.
I jumped the view forward to where
the guy was now.
“No,” I said. “It’s how I first spot-
ted this pattern, in the shopping-glass
logs. Men notice women’s clothes, just
not the way women do. Same with faces
and bodies; look…”
Subject A had passed the block of
shops and was paying more attention
to the people in the busy street. Again
I rolled back and forwarded slowly, this
time filtering out glances at inanimate
stuff—sidewalk, cars, street furni-
ture—leaving the looks at people.
Subject A was straight. He reg-
istered other men with a sublimi-
nal check that they weren’t a threat.
Women he noticed quite differently:
He didn’t stare or lech, but he defi-
nitely checked them over. Now and
again he’d give a woman a second,
conscious glance. What caught his
eye could be the obvious—the sway
of a hip, say—but far more often it
wasn’t. Rather, an ear, a drift of hair, a
snazzy blouse, eyes, a cuff that set off
a wrist…
“This guy is weird,” Mallory said.
“He’s typical,” I said. “I’ve seen this
scores of times. Men don’t even notice
what they notice about women. It’s
more than they’ll say it is, that’s for
sure.” I brushed my palms together.
“Now for Subject B.”
I clicked a search for a woman with-
in a 500-meter radius whose profile
matched A’s data-mined tastes and—
crucially—whose own taste in men
nominally matched A. Several pos-
sibles popped up, with the street heav-
ing with shoppers, mostly young. Like
A, all had clicked on the agreement to
be included in experiments with the
glasses, almost certainly unaware that
that was what they were doing.
I picked the nearest: about 100
meters from A, walking toward him. I
flashed to A’s and B’s glasses an ad for
cool drinks, flagging-up the salience of
a Caffè Nero.
Mallory watched, horrified.
“This is sick,” he said. “I see what
you’ve done; you’ve mated the shop-
CACM_TACCESS_one-third_page_vertical:Layo last byte
ping algorithm with this dating algo-
rithm…”
“‘Mated’ is right!,” I muttered.
“C’mon c’mon, guys, iced coffee…”
A minute or so apart, B and A en-
tered the same café. The screen fol-
lowed A in.
“This is just so unethical,” Mal- ACM
lory wittered on. “There’ll be privacy
issues, it’ll get hacked and become a
stalker’s paradise, it’ll freak people
Transactions on
out, especially women, you wait and
see, and what if people find out things
Accessible
about themselves, suppose they’re gay
and don’t know it, or don’t want to Computing
know, and…”
“We can stick a counseling mod-
ule on the back,” I said, abstractedly,
following Subject A’s idle gaze as he
queued. “Details, details… Don’t you
see? This is going to shape human
evolution! Just think, people’s real un-
conscious attractions are often geneti-
cally the most suitable for healthy off-
spring, but they get overridden by all
sorts of extraneous…”
Ah, yes. Subject B. There she was, at
the till, paying. Subject A had noticed
her, all right. My next step would be a
discreet message on their glasses: “A
man/woman who might like you and
who you might like is nearby. Would
you like to meet?” The usual Yes/No
blink option. The Yes had to be mu-
tual—ethics, see?
My finger hovered over Send. ◆ ◆ ◆ ◆ ◆
“Excuse me,” said a voice, above the This quarterly publication is a
clatter of cutlery. quarterly journal that publishes
A turned. The young woman beside
refereed articles addressing issues
him in the queue looked quite unlike
subject B, and she didn’t have glasses. of computing as it impacts the
“What?” lives of people with disabilities.
“It’s your turn.” Irritated… The journal will be of particular
“Oh, sorry.” I heard his smile. He interest to SIGACCESS members
called for a tall iced coffee, just as I’d
expected. Then he looked back at the and delegrates to its affiliated
woman. conference (i.e., ASSETS), as well
“And for you… ?” as other international accessibility
“Oh, I’ll…” She looked flustered, conferences.
then smiled. “A skim mocha, thanks.”
Together, chatting, they headed for ◆ ◆ ◆ ◆ ◆
a table. www.acm.org/taccess
“Oh bugger.”
www.acm.org/subscribe
Ken MacLeod ([email protected]) is the author
of 13 novels, from The Star Fraction (Orbit Books, London,
1995) to Intrusion (Orbit Books, London, 2012) and blogs
at The Early Days of a Better Nation (http://kenmacleod.
blogspot.com).
© 2012 ACM 0001-0782/12/07 $15.00
ju ly 2 0 1 2 | vo l . 55 | n o. 7 | c om m u n i cat ion s o f t h e acm 127
last byte

Future Tense, one of the revolving features on this page, presents stories and
essays from the intersection of computational science and technological speculation,
their boundaries limited only by our ability to imagine what could be.

DOI:10.1145/2209249.2209275 Ken MacLeod

Future Tense
They Just Click
When glasses track glances, will eyes
still meet across a crowded room?

“ P e o ple d o n ’ t re a d end-user license

agreements,” said Mallory, unhappily.
“They just click.”
“I know.” I fired up the demo for its
first walk-through. “Shrink-wrap’s wa-
tertight.”
The screen lit up with the view from
Subject A’s glasses: a typical English
Saturday suburban High Street.
“See?,” I said. “Anonymized. Ethical.”
I knew Subject A was male. I didn’t
know his name, age, location, or ap-
pearance. The system did.
On the screen the gaze-tracker
flicked about like a jittery cursor. Every
millisecond moment when something
snagged the gaze was logged, too fast
to read except when he deliberately
looked. Right now: running shoes in a
sports-shop window.
The view swung as he turned and
walked on. He passed a department-
store display of the latest summer
dresses without a glance. The next
shop was stationery. Even in real time,
you could see his gaze linger on a nifty
gift-pen cluster.
“So far, so shopping-glass,” said
Mallory, sounding skeptical rather
than dubious.
“Roll back,” I told the system. “Now
forward, slow.” [ c o ntin u e d on p. 127]
Photogra ph by NemesisINC/ sh utt ersto ck. com

Mallory watched,
horrified.

128 c o mm unicatio ns o f t h e ac m | j u ly 201 2 | vol . 5 5 | no. 7