Software engineering, programming methodology, languages, verification, general technology, publication culture, and more
The lecture schedule has now been posted for the 2019 LASER summer school on artificial intelligence, machine learning and software engineering. The speakers are Shai Ben-David (Waterloo), Lionel Briand (Luxembourg), Pascal Fua (EPFL), Erik Meijer (Facebook), Tim Menzies (NC State) and I.
The last deadline for registration is May 20.
The school takes place June 1-9 in the magnificent Hotel del Golfo in Elba Island, Italy.
All details at www.laser-foundation.org/school/2019.
Over breakfast at your hotel you read an article berating banks about the fraudulent credit card transactions they let through. You proceed to check out and bang! Your credit card is rejected because (as you find out later) the bank thought [1] it couldn’t possibly be you in that exotic place. Ah, those banks! They accept too much. Ah, those banks! They reject too much. Finding the right balance is a case of soundness versus precision.
Similar notions are essential to the design of tools for program analysis, looking for such suspicious cases as dead code (program parts that will never be executed). An analysis can be sound, or not; it can be complete, or not.
These widely used concepts are sometimes misunderstood. The first answer I get when innocently asking people whether the concepts are clear is yes, of course, everyone knows! Then, as I bring up such examples as credit card rejection or dead code detection, assurance quickly yields to confusion. One sign that things are not going well is when people start throwing in terms like “true positive” and “false negative”. By then any prospect of reaching a clear conclusion has vanished. I hope that after reading this article you will never again (in a program analysis context) be tempted to use them.
Now the basic idea is simple. An analysis is sound if it reports all errors, and complete if it only reports errors. If not complete, it is all the more precise that it reports fewer non-errors.
You can stop here and not be too far off [2]. But a more nuanced and precise discussion helps.
As an example of common confusion, one often encounters attempts to help through something like Figure 1, which cannot be right since it implies that all sound methods are complete. (We’ll have better pictures below.)
Figure 1: Naïve (and wrong) illustration
Perhaps this example can be dismissed as just a bad use of illustrations [3] but consider the example of looking for dead code. If the analysis wrongly determines that some reachable code is unreachable, is it unsound or incomplete?
With this statement of the question, the only answer is: it depends!
It depends on the analyzer’s mandate:
As another example, consider an analyzer that finds out whether a program will terminate. (If you are thinking “but that can’t be done!“, see the section “Appendix: about termination” at the very end of this article.) If it says a program does not terminates when in fact it does, is it unsound or incomplete?
Again, that depends on what the analyzer seeks to establish. If it is about the correctness of a plain input-to-output program (a program that produces results and then is done), we get incompleteness: the analyzer wrongly flags a program that is actually OK. But if it is about verifying that continuously running programs, such as the control system for a factory, will not stop (“liveness”), then the analyzer is unsound.
Examples are not limited to program analysis. A fraud-indentification process that occasionally rejects a legitimate credit card purchase is, from the viewpoint of preserving the bank from fraudulent purchases, incomplete. From the viewpoint of the customer who understands a credit card as an instrument enabling payments as long as you have sufficient credit, it is unsound.
These examples suffice to show that there cannot be absolute definitions of soundness and precision: the determination depends on which version of a boolean property we consider desirable. This decision is human and subjective. Dead code is desirable for the optimizing compiler and undesirable (we will say it is a violation) for the style checker. Termination is desirable for input-output programs and a violation for continuously running programs.
Once we have decided which cases are desirable and which are violations, we can define the concepts without any ambiguity: soundness means rejecting all violations, and completeness means accepting all desirables.
While this definition is in line with the unpretentious, informal one in the introduction, it makes two critical aspects explicit:
We will now explore the consequences of these observations.
For all sufficiently interesting problems, theoretical limits (known as Rice’s theorem) ensure that it is impossible to obtain both soundness and completeness.
But it is not good enough to say “we must be ready to renounce either soundness or completeness”. After all, it is very easy to obtain soundness if we forsake completeness: reject every case. A termination-enforcement analyzer can reject every program as potentially non-terminating. A bank that is concerned with fraud can reject every transaction (this seems to be my bank’s approach when I am traveling) as potentially fraudulent. Dually, it is easy to ensure completeness if we just sacrifice soundness: accept every case.
These extreme theoretical solutions are useless in practice; here we need to temper the theory with considerations of an engineering nature.
The practical situation is not as symmetric as the concept of duality theoretically suggests. If we have to sacrifice one of the two goals, it is generally better to accept some incompleteness: getting false alarms (spurious reports about cases that turn out to be harmless) is less damaging than missing errors. Soundness, in other words, is essential.
Even on the soundness side, though, practice tempers principle. We have to take into account the engineering reality of how tools get produced. Take a program analyzer. In principle it should cover the entire programming language. In practice, it will be built step by step: initially, it may not handle advanced features such as exceptions, or dynamic mechanisms such as reflection (a particularly hard nut to crack). So we may have to trade soundness for what has been called “soundiness” [4], meaning soundness outside of cases that the technology cannot handle yet.
If practical considerations lead us to more tolerance on the soundness side, on the completeness side they drag us (duality strikes again) in the opposite direction. Authors of analysis tools have much less flexibility than the theory would suggest. Actually, close to none. In principle, as noted, false alarms do not cause catastrophes, as missed violations do; but in practice they can be almost as bad. Anyone who has ever worked on or with a static analyzer, going back to the venerable Lint analyzer for C, knows the golden rule: false alarms kill an analyzer. When people discover the tool and run it for the first time, they are thrilled to discover how it spots some harmful pattern in their program. What counts is what happens in subsequent runs. If the useful gems among the analyzer’s diagnostics are lost in a flood of irrelevant warnings, forget about the tool. People just do not have the patience to sift through the results. In practice any analysis tool has to be darn close to completeness if it has to stand any chance of adoption.
Completeness, the absence of false alarms, is an all-or-nothing property. Since in the general case we cannot achieve it if we also want soundness, the engineering approach suggests using a numerical rather than boolean criterion: precision. We may define the precision pr as 1 – im where im is the imprecision: the proportion of false alarms.
The theory of classification defines precision differently: as pr = tp / (tp + fp), where tp is the number of false positives and fp the number of true positives. (Then im would be fp / (tp + fp).) We will come back to this definition, which requires some tuning for program analyzers.
From classification theory also comes the notion of recall: tp / (tp + fn) where fn is the number of false negatives. In the kind of application that we are looking at, recall corresponds to soundness, taken not as a boolean property (“is my program sound?“) but a quantitative one (“how sound is my program?“). The degree of unsoundness un would then be fn / (tp + fn).
With the benefit of the preceding definitions, we can illustrate the concepts, correctly this time. Figure 2 shows two different divisions of the set of U of call cases (universe):
Figure 2: All cases, classified
The first classification, left versus right columns in Figure 2, is how things are (the reality). The second classification, top versus bottom rows, is how we try to assess them. Then we get four possible categories:
The following properties hold, where U (Universe) is the set of all cases and ⊕ is disjoint union [5]:
— Properties applicable to all cases:
U = D ⊕ V
U = P ⊕ R
D = A ⊕ F
V = C ⊕ M
P = A ⊕ M
R = C ⊕ F
U = A ⊕M ⊕ F ⊕ C
We also see how to define the precision pr: as the proportion of actual violations to reported violations, that is, the size of C relative to R. With the convention that u is the size of U and so on, then pr = c / r, that is to say:
We can similarly define soundness in its quantitative variant (recall):
These properties reflect the full duality of soundness and completeness. If we reverse our (subjective) criterion of what makes a case desirable or a violation, everything else gets swapped too, as follows:
Figure 3: Duality
We will say that properties paired this way “dual” each other [6].
It is just as important (perhaps as a symptom that things are not as obvious as sometimes assumed) to note which properties do not dual. The most important examples are the concepts of “true” and “false” as used in “true positive” etc. These expressions are all the more confusing that the concepts of True and False do dual each other in the standard duality of Boolean algebra (where True duals False, Or duals And, and an expression duals its negation). In “true positive” or “false negative”, “true” and “false” do not mean True and False: they mean cases in which (see figure 2 again) the assessment respectively matches or does not match the reality. Under duality we reverse the criteria in both the reality and the assessment; but matching remains matching! The green areas remain green and the red areas remain red.
The dual of positive is negative, but the dual of true is true and the dual of false is false (in the sense in which those terms are used here: matching or not). So the dual of true positive is true negative, not false negative, and so on. Hereby lies the source of the endless confusions.
The terminology of this article removes these confusions. Desirable duals violation, passed duals rejected, the green areas dual each other and the red areas dual each other.
If we define an ideal world as one in which assessment matches reality [7], then figure 2 would simplify to just two possibilities, the green areas:
Figure 4: Perfect analysis (sound and complete)
This scheme has the following properties:
— Properties of a perfect (sound and complete) analysis as in Figure 4:
M = ∅ — No missed violations
F = ∅ — No false alarms
P = D — Identify desirables exactly
R = V –Identify violations exactly
As we have seen, however, the perfect analysis is usually impossible. We can choose to build a sound solution, potentially incomplete:
Figure 5: Sound desirability analysis, not complete
In this case:
— Properties of a sound analysis (not necessarily complete) as in Figure 5:
M = ∅ — No missed violations
P = A — Accept only desirables
V = C — Catch all violations
P ⊆ D — Under-approximate desirables
R ⊇ V — Over-approximate violations
Note the last two properties. In the perfect solution, the properties P = D and R = V mean that the assessment, yielding P and V, exactly matches the reality, D and V. From now on we settle for assessments that approximate the sets of interest: under-approximations, where the assessment is guaranteed to compute no more than the reality, and over-approximations, where it computes no less. In all cases the assessed sets are either subsets or supersets of their counterparts. (Non-strict, i.e. ⊆ and ⊇ rather than ⊂ and ⊃; “approximation” means possible approximation. We may on occasion be lucky and capture reality exactly.)
We can go dual and reach for completeness at the price of possible unsoundness:
Figure 6: Complete desirability analysis, not sound
The properties are dualled too:
— Properties of a complete analysis (not necessarily sound), as in Figure 6:
F = ∅ — No false alarms
R = C — Reject only violations
D = A — Accept all desirables
P ⊇ D — Over-approximate desirables
R ⊆ V — Under-approximate violations
We saw above why the terms “true positives”, “false negatives” etc., which do not cause any qualms in classification theory, are deceptive when applied to the kind of pass/fail analysis (desirables versus violations) of interest here. The definition of precision provides further evidence of the damage. Figure 7 takes us back to the general case of Figure 2 (for analysis that is guaranteed neither sound nor complete) but adds these terms to the respective categories.
Figure 7: Desirability analysis (same as fig. 2 with added labeling)
The analyzer checks for a certain desirable property, so if it wrongly reports a violation (F) that is a false negative, and if it misses a violation (M) it is a false positive. In the definition from classification theory (section 2, with abbreviations standing for True/False Positives/Negatives): TP = A, FP = M, FN = F, TN = C, and similarly for the set sizes: tp = a, fp = m, fn = f, tn = c.
The definition of precision from classification theory was pr = tp / (tp + fp), which here gives a / (a + m). This cannot be right! Precision has to do with how close the analysis is to completeness, that is to day, catching all violations.
Is classification theory wrong? Of course not. It is simply that, just as Alice stepped on the wrong side of the mirror, we stepped on the wrong side of duality. Figures 2 and 7 describe desirability analysis: checking that a tool does something good. We assess non-fraud from the bank’s viewpoint, not the stranded customer’s; termination of input-to-output programs, not continuously running ones; code reachability for a static checker, not an optimizing compiler. Then, as seen in section 3, a / (a + m) describes not precision but soundness (in its quantitative interpretation, the parameter called “so” above).
To restore the link with classification theory , we simply have to go dual and take the viewpoint of violation analysis. If we are looking for possible violations, the picture looks like this:
Figure 8: Violation analysis (same as fig. 7 with different positive/negative labeling)
Then everything falls into place: tp = c, fp = f, fn = m, tn = a, and the classical definition of precision as pr = tp / (tp + fp) yields c / (c + f) as we are entitled to expect.
In truth there should have been no confusion since we always have the same picture, going back to Figure 2, which accurately covers all cases and supports both interpretations: desirability analysis and violation analysis. The confusion, as noted, comes from using the duality-resistant “true”/”false” opposition.
To avoid such needless confusion, we should use the four categories of the present discussion: accepted desirables, false alarms, caught violations and missed violations [8]. Figure 2 and its variants clearly show the duality, given explicitly in Figure 3, and sustains interpretations both for desirability analysis and for violation analysis. Soundness and completeness are simply special cases of the general framework, obtained by ruling out one of the cases of incorrect analysis in each of Figures 4 and 5. The set-theoretical properties listed after Figure 2 express the key concepts and remain applicable in all variants. Precision c / (c + f) and quantitative soundness a / (a + m) have unambiguous definitions matching intuition.
The discussion is, I hope, sound. I have tried to make it complete. Well, at least it is precise.
[1] Actually it’s not your bank that “thinks” so but its wonderful new “Artificial Intelligence” program. ⤣
[2] For a discussion of these concepts as used in testing see Mauro Pezzè and Michal Young, Software Testing and Analysis: Process, Principles and Techniques, Wiley, 2008. ⤣
[3] Edward E. Tufte: The Visual Display of Quantitative Information, 2nd edition, Graphics Press, 2001.⤣
[4] Michael Hicks,What is soundness (in static analysis)?, blog article available here, October 2017. ⤣
[5] The disjoint union property X = Y ⊕ Z means that Y ∩ Z = ∅ (Y and Z are disjoint) and X = Y ∪ Z (together, they yield X). ⤣
[6] I thought this article would mark the introduction into the English language of “dual” as a verb, but no, it already exists in the sense of turning a road from one-lane to two-lane (dual). ⤣
[7] As immortalized in a toast from the cult movie The Prisoner of the Caucasus: “My great-grandfather says: I have the desire to buy a house, but I do not have the possibility. I have the possibility to buy a goat, but I do not have the desire. So let us drink to the matching of our desires with our possibilities.” See 6:52 in the version with English subtitles. ⤣
[8] To be fully consistent we should replace the term “false alarm” by rejected desirable. I is have retained it because it is so well established and, with the rest of the terminology as presented, does not cause confusion. ⤣
[9] Byron Cook, Andreas Podelski, Andrey Rybalchenko: Proving Program Termination, in Communications of the ACM, May 2011, Vol. 54 No. 5, Pages 88-98. ⤣
This reflection arose from ongoing work on static analysis of OO structures, when I needed to write formal proofs of soundness and completeness and found that the definitions of these concepts are more subtle than commonly assumed. I almost renounced writing the present article when I saw Michael Hicks’s contribution [4]; it is illuminating, but I felt there was still something to add. For example, Hicks’s set-based illustration is correct but still in my opinion too complex; I believe that the simple 2 x 2 pictures used above convey the ideas more clearly. On substance, his presentation and others that I have seen do not explicitly mention duality, which in my view is the key concept at work here.
I am grateful to Carlo Ghezzi for enlightening discussions, and benefited from comments by Alexandr Naumchev and others from the Software Engineering Laboratory at Innopolis University.
With apologies to readers who have known all of the following from kindergarten: a statement such as (section 1): “consider an analyzer that finds out whether a program will terminate” can elicit no particular reaction (the enviable bliss of ignorance) or the shocked rejoinder that such an analyzer is impossible because termination (the “halting” problem) is undecidable. This reaction is just as incorrect as the first. The undecidability result for the halting problem says that it is impossible to write a general termination analyzer that will always provide the right answer, in the sense of both soundness and completeness, for any program in a realistic programming language. But that does not preclude writing termination analyzers that answer the question correctly, in finite time, for given programs. After all it is not hard to write an analyzer that will tell us that the program from do_nothing until True loop do_nothing end will terminate and that the program from do_nothing until False loop do_nothing end will not terminate. In the practice of software verification today, analyzers can give such sound answers for very large classes of programs, particularly with some help from programmers who can obligingly provide variants (loop variants, recursion variants). For a look into the state of the art on termination, see the beautiful survey by Cook, Podelski and Rybalchenko [9].
The DEVOPS 2019 workshop (6-8 May 2019) follows a first 2018 workshop whose proceedings [1] have just been published in the special LASER-Villebrumier subseries of Springer Lecture notes in Computer Science. It is devoted to software engineering aspects of continuous development and new paradigms of software production and deployment, including but not limited to DevOps.
The keynote will be delivered by Gail Murphy, vice-president Research & Innovation at University of British Columbia and one of leaders in the field of empirical software engineering.
The workshop is held at the LASER conference center in Villebrumier near Toulouse. It is by invitation; if you would like to receive an invitation please contact one of the organizers (Jean-Michel Bruel, Manuel Mazzara and me) with a short description of your interest in the field.
Jean-Michel Bruel, Manuel Mazzara and Bertrand Meyer (eds.), Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment, First International Workshop, DEVOPS 2018, Chateau de Villebrumier, France, March 5-6, 2018, Revised Selected Papers, see here..
A reminder about this year’s LASER school, taking place in Elba, Italy, June 1 to 9. The theme is
AI + ML + SE
and the speakers:
Details at https://www.laser-foundation.org/school/. From that page:
The 15th edition of the prestigious LASER summer school, in the first week of June 2019, will be devoted to the complementarity and confluence of three major areas of innovation in IT: Artificial Intelligence, Machine Learning and of course Software Engineering.
The school takes place in the outstanding environment of the Hotel del Golfo in Procchio, Elba, off the coast of Tuscany.
There is a fateful ritual to keynote invitations. The first message reads (I am paraphrasing): “Respected peerless luminary of this millennium and the next, Will your excellency ever forgive me for the audacity of asking if you would deign to leave for a short interlude the blessed abodes that habitually beget your immortal insights, and (how could I summon the gall of even forming the thought!) consider the remote possibility of honoring our humble gathering with your august presence, condescending upon that historic occasion to partake of some minute fragment of your infinite wisdom with our undeserving attendees?”. The subsequent email, a few months later, is more like: “Hi Bertrand, looks like we don’t have your slides yet, the conference is coming up and the deadline was last week, did I miss anything?”. Next: “Hey you! Do you ever read your email? Don’t try the old line about your spam filter. Where are your slides? Our sponsors are threatening to withdraw funding. People are cancelling their registrations. Alexandria Ocasio-Cortez is tweeting about the conference. Send the damn stuff!” Last: “Scum, listen. We have athletic friends and they know where you live. The time for sending your PDF is NOW.”
Actually I don’t have my slides. I will have them all right for the talk. Maybe five minutes before, if you insist nicely. The talk will be bad or it will be less bad, but the slides are meant for the talk, they are not the talk. Even if I were not an inveterate procrastinator, rising at five on the day of the presentation to write them, I would still like to attend the talks before mine and refer to them. And why in the world would I let you circulate my slides in advance and steal my thunder?
This whole business of slides has become bizarre, a confusion of means and ends. Cicero did not use slides. Lincoln did not have PowerPoint. Their words still struck.
We have become hooked to slides. We pretend that they help the talk but that is a blatant lie except for the maybe 0.1% of speakers who use slides wisely. Slides are not for the benefit of the audience (are you joking? What slide user cares about the audience? Hahaha) but for the sole, exclusive and utterly selfish benefit of the speaker.
Good old notes (“cheat sheets”) would be more effective. Or writing down your speech and reading it from the lectern as historians still do (so we are told) at their conferences.
If we use slides at all, we should reserve them for illustration: to display a photograph, a graph, a table. The way politicians and police chiefs do when they bring a big chart to support their point a press conference.
I am like everyone else and still use slides as crutches. It’s so tempting. But don’t ask me to provide them in advance.
What about afterwards? It depends. Writing down the talk in the form of a paper is better. If you do not have the time, the text of the slides can serve as a simplified record. But only if the speaker wants to spread them that way. There is no rule that slides should be published. If you see your slides as an ephemeral artifact to support an evanescent event (a speech at a conference) and wish them to remain only in the memory of those inspired enough to have attended it, that is your privilege.
Soliciting speaker slides: somewhat sane, slightly strange, or simply silly?
Nulle part, dans la cohue des exégèses du mouvement des « gilets jaunes », ne trouve-t-on l’explication pourtant évidente : c’est pour partie une affaire de droit commun et pour le reste un coup de main proto-fasciste. Rien d’autre.
L’aspect le plus clair est celui de la délinquance. Dans quel autre pays civilisé des énergumènes se mettent-ils, pour clamer leurs frustrations, à opprimer leurs concitoyens en paralysant la société par la violence ? Dans un seul. La France. Et c’est en France seulement que l’on ne trouve rien à redire. En France et dans tous les pays du monde, si vous bloquez l’entrée d’un rond-point avec votre voiture, les gendarmes arrivent et vous emmènent au poste. En France seulement, si vous faites la même chose avec trente de vos acolytes, tout le monde compatit, le préfet vient repectueusement palabrer avec vous, et Le Monde convoque un professeur de sociologie pour expliquer combien vous avez raison de souffrir du mépris des élites. Absurde et inouï. Si le gouvernement Macron a fait une erreur, c’est celle-là : au premier péage bloqué, au premier radar neutralisé, il fallait dans les dix minutes coffrer les délinquants et les déférer à la justice – quitte à elle, dans la meilleure tradition d’un pays démocratique, de les juger sans passion en écoutant leurs doléances. Mais se plier à la morgue de ces gens qui utilisent la force pour empêcher les autres de vivre leur vie et d’assurer leur subsistance ? La suite était à prévoir : l’illégalité étant officiellement sanctionnée, tout ce qu’un pays compte d’extrémistes de gauche et de droite, et de simples malfrats ravis de casser et de piller, s’engouffre dans la brèche. Mais c’est hypocrite de regretter les malheureux débordements. Avant même l’entrée des casseurs professionnels, la violence était dès la première heure la définition même du mouvement. Il ne s’agissait pas de plaintes, de pétitions, de manifestations ; il s’agissait de saboter le fonctionnement le plus élémentaire d’une société civilisée. D’empêcher les citoyens de circuler et de travailler. Dans tout autre pays les voyous se retrouvaient immédiatement en prison. En France, on les invite à la télévision.
L’illégalité de droit commun n’est que le début. L’idéologie et surtout la pratique de ces gens rappellent de plus en plus le fascisme. Le fascisme est, pour une large part, le triomphe de la force brute sur la légalité: la prise de pouvoir d’une minorité par la violence, et l’imposition par la violence de ses valeurs au reste de la société. Les 250 000 bloqueurs du premier samedi représentaient moins d’un pour cent de la population adulte. De quel droit s’arrogent-ils l’autorité de décider qui passe et qui ne passe pas ? De tabasser un jeune homme et sa compagne, partis pour le cinéma, parce qu’ils refusent de klaxonner leur approbation ? C’est pour ne pas avoir arrêté dans l’œuf ce genre d’action brutale et illégale que l’Allemagne, l’Italie, l’Espagne, le Portugal et d’autres se sont retrouvés dans les années trente sous le joug de dictatures sanguinaires. Le semblant bonhomme et sincère de certains bloqueurs de ronds-points ne peut faire illusion. Il ne s’agit ni plus ni moins que de l’attaque de la force brute. Celle qui ne s’embarrasse pas d’arguments et qui se contente de vous asséner : vous ferez ce que vous dis, car je suis fort, vous êtes faible, et vous êtes en mon pouvoir.
Et leurs revendications ? Tous les conservatismes, tous les refus de raisonner, tout le fiel des envieux s’y retrouvent. Le mouvement, on ne le dira jamais assez, est d’abord celui des chauffards. Qui fréquente la France des provinces sait quelle haine a suscitée l’une des réformes précédentes, la limitation à 80 km/h. La raison était pourtant simple : les ingénieurs ont calculé qu’on pouvait sauver 300 vies par an de cette façon. Les chauffards — qui fréquente la France des routes départementales les connaît bien — n’accordent aucune attention à cet objectif de salut public : non, prétendent-ils, ce n’est qu’un prétexte pour nous ponctionner un peu plus. D’ailleurs l’ire des chauffards, des gilets jaunes, se concentre sur tout ce qui améliore la sécurité routière, comme les radars. La hausse des taxes sur les carburants n’est que le prétexte suivant pour se mettre en colère, prétexte d’autant plus absurde que cette hausse survient à un moment où les prix de base chutent. Quant à la transition énergétique, personne n’y prête attention non plus. Là aussi pourtant, les scientifiques s’époumonent à nous avertir : il est minuit moins une pour faire quelque chose, sinon le monde court à la catastrophe ; accidents climatiques constants, îles englouties, migrations cette fois-ci par dizaines de millions. Vous pourrez bien bloquer les ronds-points alors. Mais non, ce sont encore ces technocrates de Paris qui veulent nous prendre notre argent.
Le problème politique est profondément et exclusivement français. Les Français sont uniques, y compris parmi leurs voisins d’Europe occidentale. L’exception française a ses attraits : le goût, la tradition, l’élégance (pas chez les gilets jaunes), l’amour pour une langue d’une beauté sans égale. Mais elle se manifeste aussi par des défauts indéracinables. Dans tous les pays du monde, le citoyen moyen comprend que pour que quelqu’un reçoive de l’argent quelqu’un doit en produire. L’état c’est moi, et toi, et elle, et lui. Pas en France (et l’on peut avoir fait Polytechnique sans que jamais on vous ait expliqué ce qui ailleurs relève de l’école communale). En France « L’État » c’est quelqu’un d’autre. Il nous prend notre argent, toujours trop, et il est tenu de nous en donner, jamais assez. Il est de bon ton de se moquer des Américains qui croient que le monde a été créé tel quel en six jours, mais les Américains, jusqu’au moins instruit, comprennent les rudiments de l’économie. Les Français non. D’où les revendications conjointes de moins d’impôts et de plus d’aides. On ne peut sous-estimer ici l’influence de la gauche à la française. Cent ans de gauchisme primaire ont profondément corrompu le conscient et l’inconscient collectifs. Les patrons sont des exploiteurs, les salariés des exploités, révoltez-vous !
La deuxième catastrophe va avec la première : l’incompréhension des règles de la démocratie et l’imputation au gouvernement en place (dans le cas présent, en place depuis à peine un an et demi) de tout ce qui va mal. Gavroche le chantait déjà : Je suis tombé par terre / C’est la faute à Voltaire / Le nez dans le ruisseau / C’est la faute à Rousseau. Il ajouterait aujourd’hui :
J’en ai pris plein le front
C’est la faute à Macron
La démocratie, comprise à la française, ce sont tous les privilèges et aucun devoir. C’est le droit inaliénable de la minorité à se venger de son sort sur les innocents. Titre du Monde : « En occupant le rond-point de Gaillon, dans l’Eure, des manifestants forgent leur conscience politique et s’exercent à la démocratie ». Remarquable. On imagine les variantes : « En tirant au bazooka sur mes voisins, je m’exerce au pacifisme ». « En volant des voitures, je m’exerce au civisme ». « En trichant à l’examen, je m’exerce à l’honnêteté ». Invraisembable inversion des valeurs : l’arbitraire et le règne de la force brute érigés en morale.
La troisième catastrophe française est le recours immédiat et constant au sabotage et à la violence. Qui vient régulièrement en France de l’étranger est habitué au phénomène, que l’on pourrait appeler, si c’était drôle, le syndrome des Galeries Lafayette : il se passe toujours quelque chose. Parfois tragiquement venu de l’extérieur, comme dans le cas du terrorisme. Mais le plus souvent interne : grève du rail, grève d’Air France, grève des contrôleurs aériens, manifestation violente, incendie de voitures (dans quel autre pays le nouvel an signifie-t-il qu’on brûle chaque année des centaines de voitures ?), blocage de l’approvisionnement en essence, grève des « intermittents du spectacle » (parce qu’on ne les paye pas assez quand ils ne travaillent pas). Résultat : dans tous les pays voisins, on peut tranquillement planifier un voyage ; en France c’est impossible, on ne sait jamais ce qui va se produire. La violence en particulier est indigne d’un pays démocratique. De ce point de vue les gilets jaunes et leurs coups de main fascisants ne font que suivre une tradition ininterrompue, et largement impunie par crainte des conséquences (toujours le règne de la force) : séquestration de patrons, occupation illégale des universités avec dégradations en millions d’euros et représailles physiques contre ceux qui osent essayer de passer leurs examens, tabassage des responsables des relations humaines d’Air France par des syndicats de type quasi-mafieux. Au-delà de la violence, le dérèglement continuel est la source principale du retard français. La France est aujourd’hui le seul pays d’Europe où les vendeurs par correspondance ont cessé de garantir des dates de livraison, pour cause de troubles. Comment accepter une situation aussi humiliante ? Si les Suisses, les Allemands et d’autres réussissent tellement mieux, ce n’est pas qu’ils soient particulièrement plus intelligents. (D’intelligence et de créativité, la France n’en manque pas, du reste elle en exporte de plus en plus, comme elle exporta ses Huguenots après 1685.) C’est tout simplement qu’ils travaillent dans un environnement stable.
Le résultat récent le plus clair et le plus tragique est l’échec de ce qui aurait pu être une chance majeure pour la France : la récupération de l’industrie financière britannique pulvérisée par l’imbécile Brexit. Paris avait tous les atouts : la magie de la ville (vous iriez vivre à Francfort, vous, si vous aviez le choix ?), un gouvernement jeune et dynamique. Mais les banquiers ne sont pas fous. La banque a besoin de calme et de stabilité. Pas d’occupations, de grèves, de blocages, de déprédations et d’émeutes. Partie perdue, irrémédiablement.
Les destructions ne sont pas des débordements du mouvement : elles sont le mouvement. Dès le début, dès le premier automobiliste empêché de se rendre à son travail, il ne s’agissait pas de protester : il s’agissait de casser l’activité économique. Déjà les commerçants, pour qui novembre et décembre sont les mois clés, annoncent la pire saison depuis des années (et demandent bien sûr des dédommagements à l’État, c’est-à-dire une ponction supplémentaire). Une conspiration au seul bénéfice d’Amazon ne s’y serait pas prise autrement. Qui ne peut voir qu’il ne s’agit en aucun cas d’une protestation politique respectueuse de la démocratie, mais purement et simplement d’une tentative de destruction du pays ?
On s’arrêtera à la quatrième catastrophe française : la démission des clercs. C’est toujours très bien vu en France de s’enthousiasmer pour des idéologies rutilantes et généralement meurtrières. C’est très, très mal vu de soutenir le pouvoir, même quand il représente la raison, le droit et l’avenir. Mais où sont donc les fameuses élites (celles contre qui, selon les poncifs, le peuple est censé se révolter) ? Elles sont occupées à trouver des excuses aux vandales. Le Monde, auto-proclamé « journal de référence » (traduction : le New York Times sans les prix Nobel et sans les correcteurs d’orthographe), a passé tout l’été sur un scandale qu’il avait monté de toutes pièces, et sacrifie quotidiennement la vérité à une espèce de bonne conscience gauchisante sans aucun souci de l’avenir du pays. Le Figaro, au lieu de rallier la bourgeoisie au seul garant possible de l’ordre, se perd en élucubrations identitaires. Libération se croit toujours en Mai 68 et ne suit plus très bien ce qui se passe. Le Canard Enchaîné, vestige de la presse à chantage des années trente, dont on ne saurait sous-estimer dans le paysage français la puissance ricanante, méprisante, délétère et invincible, propage un peu plus chaque mercredi (entre ses contrepèteries obscènes) l’image du « tous pourris ». Pour soutenir Macron, personne.
Les élites devraient pourtant se rallier en masse ; non que Macron et Philippe soient infaillibles (ils ont fait des erreurs et ils en referont) mais tout simplement parce que dans la situation politique française actuelle ils sont le seul espoir crédible d’éviter le désastre. Le désastre, c’est la tiers-mondisation accélérée, l’écroulement de l’économie et le glissement vers le totalitarisme. D’un côté, un démagogue avide de pouvoir, suppôt de toutes les dictatures, admirateur de Chavez et de Maduro (qui en quelques années ont fait d’un des pays les plus stables de l’Amérique Latine, producteur de pétrole de surcroît, un abîme de pauvreté où les enfants meurent faute de médicaments et l’inflation mensuelle est à 94%, et qui serait pour nous le modèle ?) ; de l’autre, une extrémiste incompétente, issue d’un clan familial corrompu qui n’a jamais complètement renoncé à ses sources idéologiques des années trente. Macron est jeune, intelligent, compétent, calme et veut réformer la France là où elle en a le plus besoin, pour le bénéfice même de ceux qui n’ont rien trouvé de mieux pour progresser que de faire du chantage au reste du pays. Il a été démocratiquement élu, par une majorité sans ambages. La simple éthique démocratique appelle à le laisser faire son travail. Le simple souci du salut public appelle à le soutenir.
Tous ceux qui croient en la démocratie ; qui ont confiance dans l’énorme potentiel de la France ; qui savent qu’il faut en finir avec les lourdeurs et incongruités qui la paralysent ; qui perçoivent le risque énorme de totalitarisme ; et qui refusent que la violence d’une minorité l’emporte sur l’état de droit ; tous ceux-là doivent mettre au vestiaire le cynisme et l’éternel moquerie française pour s’engager publiquement et sans réserve, sans complaisance mais sans états d’âme, derrière l’unique force qui peut éviter la descente aux enfers.
Requirements engineering (studying and documenting what a software system should do, independently of how it will do it) took some time to be recognized as a key part of software engineering, since the early focus was, understandably, on programming. It is today a recognized sub-discipline and has benefited in the last decades from many seminal concepts. An early paper of mine, On Formalism in Specifications [1], came at the beginning of this evolution; it made the case for using formal (mathematics-based) approaches. One of the reasons it attracted attention is its analysis of the “seven sins of the specifier”: a list of pitfalls into which authors of specifications and requirements commonly fall.
One of the techniques presented in the paper has not made it into the standard requirements-enginering bag of tricks. I think it deserves to be known, hence the present note. There really will not be anything here that is not in the original article; in fact I will be so lazy as to reuse its example. (Current requirements research with colleagues should lead to the publication of new examples.)
Maybe the reason the idea did not register is that I did not give it a name. So here goes: formal picnic.
The usual software engineering curriculum includes, regrettably, no room for field trips. We are jealous of students and teachers of geology or zoology and their occasional excursions: once in a while you put on your boots, harness your backpack, and head out to quarries or grasslands to watch pebbles or critters in flagrante, after a long walk with the other boys and girls and before all having lunch together in the wild. Yes, scientific life in these disciplines really is a picnic. What I propose for the requirements process is a similar excursion; not into muddy fields, but into the dry pastures of mathematics.
The mathematical picnic process starts with a natural-language requirements document. It continues, for some part of the requirements, with a translation into a mathematical version. It terminates with a return trip into natural language.
The formal approach to requirements, based on mathematical notations (as was discussed in my paper), is still controversial; a common objection is that requirements must be understandable by ordinary project stakeholders, many of whom do not have advanced mathematical skills. I am not entering this debate here, but there can be little doubt that delicate system properties can be a useful step, if only for the requirements engineers themselves. Mathematical notation forces precision.
What, then, if we want to end up with natural language for clarity, but also to take advantage of the precision of mathematics? The formal picnic answer is that we can use mathematics as a tool to improve the requirements. The three steps are:
This final version is still in (say) English, but typically not the kind of English that most people naturally write. It may in fact “sound funny”. That is because it is really just mathematical formulae translated back into English. It retains the precision and objectivity of mathematics, but is expressed in terms that anyone can understand.
Let me illustrate the mathematical picnic idea with the example from my article. For reasons that do not need to be repeated here (they are in the original), it discussed a very elementary problem of text processing: splitting a text across lines. The original statement of the problem, from a paper by Peter Naur, read:
Given a text consisting of words separated by BLANKS or by NL (new line) characters, convert it to a line-by-line form in accordance with the following rules: (1) line breaks must be made only where the given text has BLANK or NL; (2) each line is filled as far as possible as long as (3) no line will contain more than MAXPOS characters.
My article then cited an alternative specification proposed in a paper by testing experts John Goodenough and Susan Gerhart. G&G criticized Naur’s work (part of the still relevant debate between proponents of tests and proponents of proofs such as Naur). They pointed out deficiencies in his simple problem statement above; for example, it says nothing about the case of a text containing a word of more than MAXPOS characters. G&G stated that the issue was largely one of specification (requirements) and went on to propose a new problem description, four times as long as Naur’s. In my own article, I had a field day taking aim at their own endeavor. (Sometime later I met Susan Gerhart, who was incredibly gracious about my critique of her work, and became an esteemed colleague.) I am not going to cite the G&G replacement specification here; you can find it in my article.
Since that article’s topic was formal approaches, it provided a mathematical statement of Naur’s problem. It noted that the benefit of mathematical formalization is not just to gain precision but also to identify important questions about the problem, with a view to rooting out dangerous potential bugs. Mathematics means not just formalization but proofs. If you formalize the Naur problem, you soon realize that — as originally posed — it does not always have a solution (because of over-MAXPOS words). The process forces you to specify the conditions under which solutions do exist. This is one of the software engineering benefits of a mathematical formalization effort: if such conditions are not identified at the requirements level, they will take their revenge in the program, in the form of erroneous results and crashes.
You can find the mathematical specification (only one of several possibilities) in the article. The discussion also noted that one could start again from that spec and go back to English. That was, without the name, the mathematical picnic. The result’s length is in-between the other two versions: twice Naur’s, but half G&G’s. Here it is:
Given are a non-negative integer MAXPOS and a character set including two “break characters” blank and newline. The program shall accept as input a finite sequence of characters and produce as output a sequence of characters satisfying the following conditions:
• It only differs from the input by having a single break character wherever the input has one or more break characters;
• Any MAXPOS + 1 consecutive characters include a newline;
• The number of newline characters is minimal.
If (and only if) an input sequence contains a group of MAXPOS + 1 consecutive nonbreak characters, there exists no such output. In this case, the program shall produce the output associated with the initial part of the sequence, up to and including the MAXPOS·th character of the first such group, and report the error.
This post-picnic version is the result of a quasi-mechanical retranscription from the mathematical specification in the paper.
It uses the kind of English that one gets after a mathematical excursion. I wrote above that this style might sound funny; not to me in fact, because I am used to mathematical picnics, but probably to others (does it sound funny to you?).
The picnic technique provides a good combination of the precision of mathematics and the readability of English. English requirements as ordinarily written are subject to the seven sins described in my article, from ambiguity and contradiction to overspecification and noise. A formalization effort can correct these issues, but yields a mathematical text. Whether we like it or not, many people react negatively to such texts. We might wish they learn, but that is often not an option, and if they are important stakeholders we need their endorsement or correction of the requirements. With a mathematical picnic we translate the formal text back into something they will understand, while avoiding the worst problems of natural-language specifications.
Practicing the Formal Picnic method also has a long-term benefit for a software team. Having seen first-hand that better natural-language specifications (noise-free and more precise) are possible, team members little by little learn to apply the same style to the English texts they write, even without a mathematical detour.
If the goal is high-quality requirements, is there any alternative? What I have seen in many requirements documents is a fearful attempt to avoid ambiguity and imprecision by leaving no stone unturned: adding information and redundancy over and again. This was very much what I criticized in the G&G statement of requirements, which attempted to correct the deficiencies of the Naur text by throwing ever-more details that caused ever more risks of entanglement. It is fascinating to see how every explanation added in the hope of filling a possible gap creates more sources of potential confusion and a need for even more explanations. In industrial projects, this is the process that leads to thousands-of-pages documents, so formidable that they end up (as in the famous Ariane-5 case) on a shelf where no one will consult them when they would provide critical answers.
Mathematical specifications yield the precision and uncover the contradictions, but they also avoid noise and remain terse. Translating them back into English yields a reasonable tradeoff. Try a formal picnic one of these days.
For numerous recent discussions of these and many other related topics, I am grateful to my colleagues from the Innopolis-Toulouse requirements research group: Jean-Michel Bruel, Sophie Ebersold, Florian Galinier, Manuel Mazzara and Alexander Naumchev. I remain grateful to Axel van Lamsweerde (beyond his own seminal contributions to requirements engineering) for telling me, six years after I published a version of [1] in French, that I should take the time to produce a version in English too.
Bertrand Meyer: On Formalism in Specifications, in IEEE Software, vol. 3, no. 1, January 1985, pages 6-25. PDF available via IEEE Xplore with account, and also from here. Adapted translation of an original article in French (AFCET Software Engineering newsletter, no. 1, pages 81-122, 1979).
(This article was originally published on the Comm. ACMM blog.)
Imagine having had coffee, over the years, with each of Euclid, Galileo, Descartes, Marie Curie, Newton, Einstein, Lise Leitner, Planck and de Broglie. For a computer scientist, if we set aside the founding generation (the Turings and von Neumanns), the equivalent is possible. I have had the privilege of meeting and in some cases closely interacting with pioneer scientists, technologists and entrepreneurs, including Nobel, Fields and Turing winners, Silicon-Valley-type founders and such. It is only fair that I should share some of the traits I have observed in them.
Clarification and disclaimer:
“Idiosyncratic” is a high-sounding synonym for “diverse,” used here to deflect the ridicule of starting a list of what is common to those people by stating that they are different from each other. The point is important, though, and reassuring. Those people come in all stripes, from the stuffy professor to the sandals-shorts-and-Hawaiian-shirt surfer. Their ethnic backgrounds vary. And (glad you asked) some are men and some are women.
Consideration of many personality and lifestyle features yields no pattern at all. Some of the people observed are courteous, a delight to deal with, but there are a few jerks too. Some are voluble, some reserved. Some boastful, some modest. Some remain for their full life married to the same person, some have been divorced many times, some are single. Some become CEOs and university presidents, others prefer the quieter life of a pure researcher. Some covet honors, others are mostly driven by the pursuit of knowledge. Some wanted to become very rich and did, others care little about money. It is amazing to see how many traits appear irrelevant, perhaps reinforcing the value of those that do make a difference.
In trying to apply a cargo-cult-like recipe, this one would be the hardest to emulate. We all know that Fleming came across penicillin thanks to a petri dish left uncleaned on the window sill; we also know that luck favors only the well-prepared: someone other than Fleming would have grumbled at the dirtiness of the place and thrown the dish into the sink. But I am not just talking about that kind of luck. You have to be at the right place at the right time.
Read the biographies, and you will see that almost always the person happened to study with a professor who just then was struggling with a new problem, or did an internship in a group that had just invented a novel technique, or heard about recent results before everyone else did.
Part of what comes under “luck” is luck in obtaining the right education. Sure, there are a few autodidacts, but most of the top achievers studied in excellent institutions.
Success comes from a combination of nature and nurture. The perfect environment, such as a thriving laboratory or world-class research university, is not enough; but neither is individual brilliance. In most cases it is their combination that produces the catalysis.
Laugh again if you wish, but I do not just mean the obvious observation that those people were clever in what they did. In my experience they are extremely intelligent in other ways too. They often possess deep knowledge beyond their specialties and have interesting conversations.
You approach them because of the fame they gained in one domain, and learn from them about topics far beyond it.
At first, the title of this section is another cause for ridicule: what did you expect, extraterrestrials? But “human” here means human in their foibles too. You might expect, if not an extraterrestrial, someone of the oracle-of-Delphi or wizard-on-a-mountain type, who after a half-hour of silence makes a single statement perfect in its concision and exactitude.
Well, no. They are smart, but they say foolish things too. And wrong things. Not only do they say them, they even publish them. (Newton wasted his brilliance on alchemy. Voltaire — who was not a scientist but helped promote science, translating Newton and supporting the work of Madame du Châtelet — wasted his powerful wit to mock the nascent study of paleontology: so-called fossils are just shells left over by picnicking tourists! More recently, a very famous computer scientist wrote a very silly book — of which I once wrote, fearlessly, a very short and very disparaging review.)
So what? It is the conclusion of the discussion that counts, not the meanderous path to it, or the occasional hapless excursion into a field where your wisdom fails you. Once you have succeeded, no one will care how many wrong comments you made in the process.
It is fair to note that the people under consideration probably say fewer stupid things than most. (The Erich Kästner ditty from an earlier article applies.) But no human, reassuringly perhaps, is right 100% of the time.
What does set them apart from many people, and takes us back to the previous trait (smart), is that even those who are otherwise vain have no qualms recognizing mistakes in their previous thinking. They accept the evidence and move on.
Of two people, one an excellent, top-ranked academic, the other a world-famous pioneer, who is the more likely to answer an email? In my experience, the latter.
Beyond the folk vision of the disheveled, disorganized, absent-minded professor lies the reality of a lifetime of rigor and discipline.
This should not be a surprise. There is inspiration, and there is perspiration. Think of it as the dual of the broken-windows theory, or of the judicial view that a defendant who lies in small things probably lies in big things: the other way around, if you do huge tasks well, you probably do small tasks well too.
Along with diligence comes focus, carried over from big matters to small matters. It is the lesser minds that pretend to multiplex. Great scientists, in my experience, do not hack away at their laptops during talks, and they turn off their cellphones. They choose carefully what they do (they are deluged with requests and learn early to say no), but what they accept to do they do. Seriously, attentively, with focus.
A fascinating spectacle is a world-famous guru sitting in the first row at a conference presentation by a beginning Ph.D. student, and taking detailed notes. Or visiting an industrial lab and quizzing a junior engineer about the details of the latest technology.
For someone who in spite of the cargo cult risk is looking for one behavior to clone, this would be it. Study after study has shown that we only delude ourselves in thinking we can multiplex. Top performers understand this. In the seminar room, they are not the ones doing email. If they are there at all, then watch and listen.
Top science and technology achievers are communicators. In writing, in speaking, often in both.
This quality is independent from their personal behavior, which can cover the full range from shy to boisterous. It is the quality of being articulate. They know how to convey their results — and often do not mind crossing the line to self-advertising. It is not automatically the case that true value will out: even the most impressive advances need to be pushed to the world.
The alternative is to become Gregor Mendel: he single-handedly discovered the laws of genetics, and was so busy observing the beans in his garden that no one heard about his work until some twenty years after his death. Most of us prefer to get the recognition earlier. (Mendel was a monk, so maybe he believed in an afterlife; yet again maybe he, like everyone else, might have enjoyed attracting interest in this world first.)
In computer science it is not surprising that many of the names that stand out are of people who have written seminal books that are a pleasure to read. Many of them are outstanding teachers and speakers as well.
Being an excellent communicator does not mean that you insist on talking. The great innovators are excellent listeners too.
Some people keep talking about themselves. They exist in all human groups, but this particular trait is common among scientists, particularly junior scientists, who corner you and cannot stop telling you about their ideas and accomplishments. That phenomenon is understandable, and in part justified by an urge to avoid the Mendel syndrome. But in a conversation involving some less and some more recognized professionals it is often the most accomplished members of the group who talk least. They are eager to learn. They never forget that the greatest insighs can start with a casual observation from an improbable source. They know when to talk, and when to shut up and listen.
Openness also means intellectual curiosity, willingness to have your intellectual certainties challenged, focus on the merit of a comment rather than the commenter’s social or academic status, and readiness to learn from disciplines other than your own.
People having achieved exceptional results were generally obsessed with the chase and the prey. They are as driven as an icebreaker ship in the Sea of Barents. They have to get through; the end justifies the means; anything in the way is collateral damage.
So it is not surprising, in the case of academics, to hear colleagues from their institutions mumble that X never wanted to do his share, leaving it to others to sit in committees, teach C++ to biology majors and take their turn as department chair. There are notable exceptions, such as the computer architecture pioneer who became provost then president at Stanford before receiving the Turing Award. But you do not achieve breakthroughs by doing what everything else is doing. When the rest of the crowd is being sociable and chatty at the conference party long into the night, they go back to their hotel to be alert for tomorrow’s session. A famous if extreme case is Andrew Wiles, whom colleagues in the department considered a has-been, while he was doing the minimum necessary to avoid trouble while working secretly and obsessively to prove Fermat’s last theorem.
This trait is interesting in light of the soothing discourse in vogue today. Nothing wrong with work-life balance, escaping the rat race, perhaps even changing your research topic every decade (apparently the rule in some research organizations). Sometimes a hands-off, zen-like attitude will succeed where too much obstination would get stuck. But let us not fool ourselves: the great innovators never let go of the target.
Yes, selfishness can go with generosity. You obsess over your goals, but it does not mean you forget other people.
Indeed, while there are a few solo artists in the group under observation, a striking feature of the majority is that in addition to their own achievements they led to the creation of entire communities, which often look up to them as gurus. (When I took the comprehensive exam at Stanford, the first question was what the middle initial “E.” of a famous professor stood for. It was a joke question, counting for maybe one point out of a hundred, helpfully meant to defuse students’ tension in preparation for the hard questions that followed. But what I remember is that every fellow student whom I asked afterwards knew the answer. Me too. Such was the personality cult.) The guru effect can lead to funny consequences, as with the famous computer scientist whose disciples you could spot right away in conferences by their sandals and beards (I do not remember how the women coped), carefully patterned after the master’s.
The leader is often good at giving every member of that community flattering personal attention. In a retirement symposium for a famous professor, almost every person I talked too was proud of having developed a long-running, highly personal and of course unique relationship with the honoree. One prestigious computer scientist who died in the 80’s encouraged and supported countless young people in his country; 30 years later, you keep running into academics, engineers and managers who tell you that they owe their career to him.
Some of this community-building can be self-serving and part of a personal strategy for success. There has to be more to it, however. It is not just that community-building will occur naturally as people discover the new ideas: since these ideas are often controversial at first, those who understood their value early band together to defend them and support their inventor. But there is something else as well in my observation: the creators’ sheer, disinterested generosity.
These people are passionate in their quest for discovery and creation and genuinely want to help others. Driven and self-promoting they may be, but the very qualities that led to their achievements — insight, intellectual courage, ability to think beyond accepted ideas — are at the antipodes of pettiness and narrow-mindedness. A world leader cannot expect any significant personal gain from spotting and encouraging a promising undergraduate, telling a first-time conference presenter that her idea is great and worth pushing further, patiently explaining elementary issues to a beginning student, or responding to a unknown correspondent’s emails. And still, as I have observed many times, they do all of this and more, because they are in the business of advancing knowledge.
These are some of the traits I have observed. Maybe there are more but, sorry, I have to go now. The pan is sizzling and I don’t like my tournedos too well-done.
(Originally published on CACM blog.)
An article published here a few years ago, reproducing a note I wrote much earlier (1992), pointed out that conventional wisdom about the history of software engineering, cited in every textbook, is inaccurate: the term “software engineering” was in use before the famous 1968 Garmisch-Partenkichen conference. See that article for details.
Recently a colleague wanted to cite my observation but could not find my source, a 1966 Communications of the ACM article using the term. Indeed that text is not currently part of the digitalized ACM archive (Digital Library). But I knew it was not a figment of my imagination or of a bad memory.
The reference given in my note is indeed correct; with the help of the ETH library, I was able to get a scan of the original printed article. It is available here.
The text is not a regular CACM article but a president’s letter, part of the magazine’s front matter, which the digital record does not always include. In this case historical interest suggests it should; I have asked the ACM to add it. In the meantime, you can read the scanned version for a nostalgic peek into what the profession found interesting half a century ago.
Note (12 November 2018): The ACM Digital Library responded (in a matter of hours!) and added the letter to the digital archive.
To buy a Zurich Opera ticket online you have to register on their site, including choosing a form of address from a list which beats any I have seen:
As a side detail, their system does not work: to enable registration and booking it is supposed to send you an email with your password, and it never did in spite of many attempts over several days. The only way to buy tickets turned out to be going to the theater and queuing at the box office. (There I was assured with extreme politeness that I am now registered on the site, but no, never got a password and cannot log in.) I agree with you, though: what a trivial quibble! You may never be able to book a performance, but by clicking the right menu entry you can call yourself Frau Stadträtin.