This paper proposes a verification mechanism for designing dependable context-aware systems. In our approach, a UML-based design model and actual execution trace data are translated into a logical formula. The validity of a design model, the correspondence between the design and the execution, and the non-functional properties can be verified automatically. For this checking, we use an SMT solver.
INTRODUCTION
Context-awareness plays an important role in developing flexible and adaptive systems that can change their behavior according to their context (Kramer and Magee, 2007) . However, it is not easy to design and implement such a context-aware system, because its system configuration is dynamically changed. It is hard to check whether a design model is correctly implemented and its behavior is faithful to the design. Runtime verification is one of the promising approaches for relaxing this problem. It is effective to log the execution events of a program and check whether the trace satisfies the properties specified in the design. However, it is still difficult to check the validity of a design and the correspondence between the design and its actual event trace, because context cannot be treated as a module in the traditional design methods and programming languages. Context is designed or implemented in an ad-hoc manner in traditional approaches. As a result, it is difficult to map a design-level event such as context change to an event in an execution trace. To deal with this problem, this paper applies the notion of COP (Context-Oriented Programming) (R. Hirschfeld and Nierstrasz, 2008) to a design and verification method for developing context-aware systems. COP can treat context as a module and enables programmers to describe the context-aware behavior elegantly.
This paper provides RV4COP, a runtime verification mechanism based on UML4COP (Ubayashi and Kamei, 2012) in which each context is modeled separately from a base design model representing only primary system behavior. A system design model is composed by merging associated contexts. In RV4COP, a system design model and actual execution trace data at a certain period of time are translated into a logical formula. A variety of properties can be checked automatically. For this checking, we use an SMT (Satisfiability Modulo Theories) solver (A. Biere and Walsh, 2009 ), a tool for deciding the satisfiability of logical formulas. This paper is structured as follows. In Section 2, we introduce COP and UML4COP. In Section 3, we propose RV4COP. Concluding remarks are provided in Section 4.
COP AND UML4COP
In this section, first, we introduce the overview of COP. Next, we briefly excerpt UML4COP from our previous work (Ubayashi and Kamei, 2012) .
COP Overview
COP provides a mechanism for dynamically adapting the behavior to the new context. There are several COP languages such as ContextJ* and JCop (R. Hirschfeld and Nierstrasz, 2008) . Context is described by layers, a context-aware modularization mechanism. A layer, which defines a set of related context-dependent behavioral variations, can be considered a module. By entering a layer or exiting from the layer, a program can change its behavior. A program captures context-dependent behavior by entering a layer. A layer, a kind of crosscutting con- cern, can range over several classes and contain partial method definitions implementing behavioral variations. A set of partial methods belonging to the same layer represents the context-dependent behavior. There are two kinds of partial methods: plain method and layered method. The former is a method whose execution is not affected by layers. The latter consists of a base method definition, which is executed when no active layer provides a corresponding partial method, and partial method definitions. Partial methods are activated when a program enters a layer. In COP, a systems can be constructed by dynamically composing a set of associated layers.
Design Modeling using UML4COP
UML4COP, a UML-based domain-specific modeling language, consists of two kinds of models: view model and context transition model. The former described in class diagrams and sequence diagrams rep- resents context. The latter described in state machine diagrams represents context transitions triggered by COP-specific events such as layer in and layer out. Figure 1 and 2 show an example model described in UML4COP. This example modified from (ContextJ*, 2011) is an application that displays a message containing a person's name, address, and em- ployer. The message content changes according to the belonging context. In Figure 1 , there is one base view and two layer views: Address and Employment. In Address layer, a layered method toString is called to display an address. In Employment layer, another layered method toString is called to display an employer's profile. In Figure 2 , first, this example system can enter Address layer. Next, the system can enter Employment layer or exit from Address layer. We can easily understand system behavior by composing views according to context transitions. The following is the execution result. The same print statement behaves differently according to the context.
Programming in COP Languages
A design model in UML4COP can be easily implemented using COP languages. In List 1 -4 ( 
RUNTIME VERIFICATION
Although UML4COP and COP improve the expressiveness for designing and implementing contextaware systems, it is not necessarily easy to check whether a program correctly implements its design. To deal with this problem, we propose RV4COP consisting of three steps: 1) a design model specified in UML4COP is translated into a logical formula; 2) execution trace data collected by logging ContextJ* execution events are converted to a logical formula; and 3) a variety of checking are performed. Introducing RV4COP, we can check the correspondence between design and its execution trace by verifying the satisfiability of these logical formulas. Our approach integrates trace-based dynamic analysis with logic-based formal methods.
UML-basedDesignandVerificationMethodforDevelopingDependableContext-awareSystems

Verification Procedure
Step 1: Translation from a Design Model into a Logical Formula A UML4COP model is translated into a logical formula by focusing on the selected COP events called archpoints, points for representing the essence of architectural design. Table 1 shows major archpoints and related execution events in ContextJ*. Using archpoints, we can define an abstract design model representing the essence of context-aware software architecture. We can verify the crucial aspects of a design model by ignoring non-essential aspects. The computing cost and the verification scalability are improved, because the length of a logical formula is shorten.
In RV4COP, design is defined as a set of archpoints A = {a 1 , ..., a n } and a set of constraints among them. A design model is regarded correct if the logical formula below is satisfied. An archcond i is a logical expression for specifying a property that should be satisfied among a set of related archpoints. DESIGN = archcond 1 ∧ ... ∧ archcond m (1) The example design model is translated into List 5 (Figure 4) . The sequence is a predicate that is satisfied when the order of archpoint occurrence is correct. By defining a set of predicates such as iteration and branch, we can describe a variety of architectural properties. The system behavior at a certain period of time can be composed by merging associated logical formulas in List 5. For example, the formula Composition Base Address Employment in List 6 is generated by merging the four formulas in List 5 (the same archpoint occurrence is merged). Taking into account the context transitions, archpoints such as layer in and layer out are added to List 6.
Step 2: Translation from Trace Data into a Logical Formula In RV4COP, trace data can be expressed as a set of ContextJ* execution events E = {e 1 , ..., e n ′ } and a set of constraints among them. A trace is consistent if the formula below is satisfied. A tracecond i is a logical expression for specifying a property that should be satisfied among a set of execution events.
The execution trace data are translated into a logical formula shown in List 7 (Figure 4 ).
Step 3: Verification We can check a variety of design properties: 1) traceability between design and its trace, 2) design consistency by checking DESIGN, and 3) trace validity by checking T RACE. As an example, we show how to generate a logical formula for checking 1). In RV4COP, a refinement mapping from a design model to its event trace can be defined as a mapping function refine. Using refine function, RV4COP can be applied to a variety of COP languages. In case of ContextJ*, this mapping can be defined below. Program behavior conforms to its design if the following is satisfied.
re f ine(DESIGN) ∧ T RACE (3)
In the example, this formula is not satisfied. The sequence predicate in re f ine(DESIGN) is false, because the order of the layered method invocations in T RACE (List 7) is not correct. A ContextJ* implementation shown in List 1 -4 does not conform to its design. When tanaka (person) enters the Address and Employment layers, the layered method toString (Address layer) is invoked after the layered method toString (Employment layer) is invoked. This violates the order of message sequence of the system behavior shown in List 6. This bug is caused by the usage of the ContextJ* framework consisting of LayerDefinition, define, select, and next. The order of layered method definitions is not correct. It is not necessarily easy for a novice to understand the above behavior. If the number of layers and the number of classes associated to the layers increase, it becomes difficult to understand the detailed behavior even if the programmer is not a novice.
Introducing Archpoints, the correspondence between design and its execution can be checked while preserving adequate abstraction level. In List 6 (Composition Base Address Employment), we focus on only the layered method invocations-base method invocations are out of consideration. We can take into account only a special behavioral scenario if a developer considers it important.
SMT-based Verification
The verification procedure shown in 3.1 can be automated by using formal verification tools. In RV4COP, we use Yices (Yices, 2012) , an SMT solver whose input language is similar to Scheme. Yices is an SMT solver that decides the satisfiability of formulas containing uninterpreted function symbols with equality, linear real and integer arithmetic, scalar types, extensional arrays, and so on. SMT is effective for RV4COP because these expressive logical formulas can be used.
Design Traceability
The behavioral aspect of design traceability can be verified by checking the satisfiability of the logical formula re f ine(DESIGN) ∧ T RACE. This formula can be encoded to List 8 in which only Composition Base Address Employment is shown as a system design model due to the space limitation. (< i0 i1) (< i1 i2) (< i2 i3) (< i3 i4) 09:
(< i4 i5) (< i5 i6) (< i6 i7) (< i7 i8) 10:
(< i8 i9) (< i9 i10) (< i10 i11) (< i11 i12) 11:
(< i12 i13) (< i13 i14) 12: (= (tlist i0) Layer_with_@Address 
Design Consistency
We can check not only design traceability but also design consistency (or design correctness). If design consistency and design traceability are correct, we can consider that the actual trace satisfies the consistency specified in the design. Design consistency can be verified by checking the satisfiability of the logical formula DESIGN.
We check a behavioral specification as an example. Our approach can be used as a bounded model checker (E. Clarke and Peled, 1999) for verifying temporal behavior. For example, a temporal specification
Person toString receive → ⋄Employer toString receive @Address can be checked. The symbol ⋄ (in the future) is an operator of LTL (Linear Temporal Logic). The meaning of the formula is as follows: toString message (layered) will be received by an employer in the future if toString message is received by a person. This LTL formula can be encoded to List 9. The symbol alist, whose definition is omitted due to the space limitation, is an array representing design-level system behavior (a sequence of archpoints). The assertion in List 9 is satisfied.
[List 9] 01: (assert (and 02:
(< i j) 03: (= (alist i) Person_toString_receive) 04: (= (alist j) Employer_toString_receive_@Address)))
Non-functional Properties
Some kinds of non-functional properties such as performance are important in designing context-aware systems. These properties can be verified by checking the satisfiability of the logical formula T RACE. The assertion in List 10 checks whether toString (Employer's layered method) is executed within the expected response time after toString (Person's method) is executed. Two variables timestamp i and timestamp j show the time of the person's toString execution and the time of the employer's toString execution, respectively. 
CONCLUSIONS AND FUTURE WORK
This paper proposed RV4COP. We can verify the validity of a design model, the correspondence between the design and the execution, and the non-functional properties. For this checking, we used an SMT solver. Our approach integrates trace-based dynamic analysis with logic-based formal methods. COP is a new program paradigm and its debugging methods are one of the important research topics. We previously proposed CJAdviser (S. Uchio and Kamei, 2011) , SMTbased debugging support for ContextJ*, in which the execution trace of a ContextJ* program is converted to a context dependence graph that can be analyzed by Yices. Using CJAdviser, we can check a variety of object-context dependencies such as "Do two objects A and B exist in the Context X at the same time ?". As the next step, we plan to integrate CJAdviser with RV4COP in order to support the consistent traceability from design to code and execution.
