Static analysis is an important approach for finding bugs and vulnerabilities in software. However, inspecting and confirming static warnings are challenging and time-consuming. In this paper, we present a novel solution that automatically generates test cases based on static warnings to validate true and false positives. We designed a syntactic patching algorithm that can generate syntactically valid, semantic preserving executable code fragments from static warnings. We developed a build and testing system to automatically test code fragments using fuzzers, KLEE and Valgrind. We evaluated our techniques using 12 real-world C projects and 1955 warnings from two commercial static analysis tools. We successfully built 68.5% code fragments and generated 1003 test cases. Through automatic testing, we identified 48 true positives and 27 false positives, and 205 likely false positives. We matched 4 CVE and real-world bugs using Helium, and they are only triggered by our tool but not other baseline tools. We found that testing code fragments is scalable and useful; it can trigger bugs that testing entire programs or testing procedures failed to trigger.

中文翻译：

---

通过测试代码片段验证静态警告

静态分析是发现软件缺陷和漏洞的重要方法。但是，检查和确认静态警告具有挑战性且耗时。在本文中，我们提出了一种新颖的解决方案，该解决方案可根据静态警告自动生成测试用例，以验证真假阳性。我们设计了一种句法修补算法，可以从静态警告中生成句法有效、语义保留的可执行代码片段。我们开发了一个构建和测试系统，使用模糊器、KLEE 和 Valgrind 自动测试代码片段。我们使用 12 个真实世界的 C 项目和来自两个商业静态分析工具的 1955 个警告来评估我们的技术。我们成功构建了 68.5% 的代码片段并生成了 1003 个测试用例。通过自动测试，我们确定了 48 个真阳性和 27 个假阳性，以及 205 个可能的假阳性。我们使用 Helium 匹配了 4 个 CVE 和现实世界的错误，它们仅由我们的工具触发，而不是其他基线工具触发。我们发现测试代码片段是可扩展且有用的；它可以触发测试整个程序或测试程序未能触发的错误。