By July 2025, smart contracts collectively manage roughly $120 billion in assets. With Solidity remaining the dominant language for smart contract development, the correctness of Solidity compilers has become critically important. However, Solidity compilers are bug-prone, with a recent study revealing that combinations of qualifiers in Solidity programs are the primary cause of compiler crashes, accounting for 40.5% of all historical crashes. While random program generators are widely used for compiler testing, they may be less effective at finding Solidity compiler bugs because they explore the unbounded space of possible programs rather than concentrating on the specific subspace related to bug-prone qualifiers. A promising idea for finding qualifier-related bugs is to bound the search space based on empirical evidence of where such bugs are likely to occur, specifically focusing test generation to target subspaces with rich combinations of qualifiers. To address this, we propose bounded exhaustive random program generation, a novel approach that dynamically bounds the search space, enhancing the likelihood of uncovering Solidity compiler bugs. Specifically, our method bounds the search space by generating valid program templates that abstract programs that use bug-prone qualifiers, and then uses these templates as a basis for compiler testing through exhaustive enumeration of suitable qualifiers. Mechanisms are devised to address technical challenges regarding validity and efficiency. We have implemented our novel generation approach in a new tool, Erwin. We have used Erwin to find and report 26 bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Among these, 23 were previously unknown, 18 have been confirmed, and 10 have been fixed. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection.

翻译：截至2025年7月，智能合约管理的资产总额约达1200亿美元。随着Solidity持续占据智能合约开发的主导地位，Solidity编译器的正确性变得至关重要。然而，Solidity编译器存在易错性，近期研究表明Solidity程序中的限定符组合是导致编译器崩溃的主要原因，占历史崩溃案例的40.5%。虽然随机程序生成器已广泛应用于编译器测试，但其在发现Solidity编译器缺陷方面可能效果有限，因为它们探索的是无界的程序空间，而非专注于与易错限定符相关的特定子空间。针对限定符相关缺陷的检测，一种可行思路是基于此类缺陷出现概率的经验证据来限定搜索空间，特别将测试生成聚焦于具有丰富限定符组合的子空间。为此，我们提出有界穷举随机程序生成这一创新方法，通过动态限定搜索空间来提高发现Solidity编译器缺陷的概率。具体而言，我们的方法通过生成有效程序模板来限定搜索空间，这些模板抽象了使用易错限定符的程序，并以此为基础通过穷举枚举合适的限定符进行编译器测试。我们设计了相应机制以解决有效性和效率方面的技术挑战。基于该生成方法，我们开发了新工具Erwin。使用Erwin在两个Solidity编译器（solc与solang）及一个Solidity静态分析器（slither）中共发现并报告了26个缺陷，其中23个为先前未知缺陷，18个已获确认，10个已完成修复。评估结果表明，Erwin在缺陷检测方面优于当前最先进的Solidity模糊测试工具。