By July 2025, smart contracts collectively manage roughly $120 billion in assets. With Solidity remaining the dominant language for smart contract development, the correctness of Solidity compilers has become critically important. However, Solidity compilers are bug-prone, with a recent study revealing that combinations of qualifiers in Solidity programs are the primary cause of compiler crashes, accounting for 40.5% of all historical crashes. While random program generators are widely used for compiler testing, they may be less effective at finding Solidity compiler bugs because they explore the unbounded space of possible programs rather than concentrating on the specific subspace related to bug-prone qualifiers. A promising idea for finding qualifier-related bugs is to bound the search space based on empirical evidence of where such bugs are likely to occur, specifically focusing test generation to target subspaces with rich combinations of qualifiers. To address this, we propose bounded exhaustive random program generation, a novel approach that dynamically bounds the search space, enhancing the likelihood of uncovering Solidity compiler bugs. Specifically, our method bounds the search space by generating valid program templates that abstract programs that use bug-prone qualifiers, and then uses these templates as a basis for compiler testing through exhaustive enumeration of suitable qualifiers. Mechanisms are devised to address technical challenges regarding validity and efficiency. We have implemented our novel generation approach in a new tool, Erwin. We have used Erwin to find and report 26 bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Among these, 23 were previously unknown, 18 have been confirmed, and 10 have been fixed. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection.

翻译：截至2025年7月，智能合约管理的资产总额约达1200亿美元。Solidity作为智能合约开发的主流语言，其编译器的正确性至关重要。然而，Solidity编译器存在较高的缺陷风险，近期研究表明Solidity程序中限定符的组合是导致编译器崩溃的主要原因，占历史崩溃案例的40.5%。尽管随机程序生成器已广泛应用于编译器测试，但其在发现Solidity编译器缺陷方面可能效率有限，因为它们探索的是无界的程序空间，而非专注于易错限定符相关的特定子空间。针对限定符相关缺陷的检测，一种可行思路是基于缺陷发生概率的经验证据对搜索空间进行界定，将测试生成聚焦于具有丰富限定符组合的子空间。为此，我们提出有界穷举随机程序生成方法，这是一种通过动态界定搜索空间以提升Solidity编译器缺陷发现概率的创新方法。具体而言，本方法通过生成抽象化使用易错限定符程序的有效程序模板来界定搜索空间，并以此为基础，通过对合适限定符的穷举枚举进行编译器测试。我们设计了相应机制以应对有效性和效率方面的技术挑战。我们将该创新生成方法实现于新工具Erwin中。利用Erwin，我们在两个Solidity编译器（solc和solang）及一个Solidity静态分析器（slither）中发现并报告了26个缺陷，其中23个为先前未知缺陷，18个已获确认，10个已完成修复。评估结果表明，Erwin在缺陷检测方面优于当前最先进的Solidity模糊测试工具。