The conventional classification of software fault detection techniques as static or dynamic analysis is inadequate as a basis for identifying useful relationships between techniques. A more useful distinction is between techniques that sample the space of possible executions, and techniques that fold the space. The new distinction provides better insight into the ways different techniques can interact, and is a basis for considering hybrid fault detection techniques including combinations of testing and formal verification.

The inherent difficulties of analyzing concurrent software make reliance on a single technique or a single monolithic tool unsatisfactory. A better approach is to apply multiple analysis and verification techniques by coordinating the activities of a variety of small tool components. We describe how this approach has shaped the design of a set of tool components to support concurrency analysis in the Arcadia-1 software development environment. Implementation and experience with key components is described.

Formal methods like model checking can be used to demonstrate that safety properties of embedded systems are enforced by the system's requirements. Unfortunately, proving these properties provides no guarantee that they will be preserved in an implementation of the system. We have developed a tool, called Analyzer, which helps discover instances of inconsistency and incompleteness in implementations with respect to requirements. Analyzer uses requirements information to automatically generate properties which ensure that required state transitions appear in a model of an implementation. A model is created through abstract interpretation of an implementation annotated with assertions about values of state variables which appear in requirements. Analyzer determines if the model satisfies both automatically-generated and userspecified safety properties. This paper presents a description of our implementation of Analyzer and our experience in applying it to a small but realistic problem.

In embedded systems the interfaces between software and its embedding environment are a major source of costly errors. For example, Lutz reported that 20% - 35% of the safety related errors discovered during integration and system testing of two spacecraft were related to the interfaces between the software and the embedding hardware. Also, the software's operating environment is likely to change over time further complicating the issues related to system level inter-component communication. In this paper we discussed a formal approach to the specification and analysis of inter-component communication using a revised version of the RSML (Requirements State Machine Language) specification language. The formalism allows rigorous specification of the physical aspects of the inter-component communication and enables encapsulation of communication related properties in well defined interface specifications. This allows us to both analyze a system design and detect incompatibilities between...