Static analysis is a foundational technique for detecting software defects, yet it notoriously suffers from high false positive rates. Prior efforts to reduce false positives via model checking, symbolic execution, dynamic analysis, testing, or machine learning either fail to scale or mistakenly eliminate real defects.

This paper presents RICAN, a novel approach that leverages dynamic testing to reliably eliminate false alarms in static analysis. The key insight behind RICAN is the concept of input-agnosticity: if the validity of an alarm is independent of program inputs along each execution path, then once all such paths from the program entry to the alarm site have been exercised by tests without triggering the alarmed bug, the alarm can be safely classified as a false positive. To realize this insight, RICAN uses data-dependence analysis to identify input-agnostic alarms among all reported alarms. However, validating even input-agnostic alarms requires exploring all feasible paths, which is generally infeasible. To address this, RICAN computes a necessary set of paths by identifying only those branches and loops that may influence the alarm's validity. Finally, RICAN eliminates false alarms using existing dynamic testing and post-directed fuzzing to cover these critical paths.

We evaluate RICAN on six real-world open-source projects. Our experiments show that RICAN can reliably eliminate 1,313 (45.09%) false positives across 2,912 double free, use-after-free, and null pointer dereference alarms, while incurring negligible overhead. Our user studies further demonstrate that RICAN reduces the manual effort required for alarm inspection by over 70% on average and helps programmers find bugs more quickly and accurately, highlighting its practical usefulness in real-world static analysis.