Saved in:
Bibliographic Details
Main Authors: Ma, Haoyang, Donaldson, Alastair F., Shen, Qingchao, Tian, Yongqiang, Chen, Junjie, Cheung, Shing-Chi
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2503.20332
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914176566296576
author Ma, Haoyang
Donaldson, Alastair F.
Shen, Qingchao
Tian, Yongqiang
Chen, Junjie
Cheung, Shing-Chi
author_facet Ma, Haoyang
Donaldson, Alastair F.
Shen, Qingchao
Tian, Yongqiang
Chen, Junjie
Cheung, Shing-Chi
contents By July 2025, smart contracts collectively manage roughly $120 billion in assets. With Solidity remaining the dominant language for smart contract development, the correctness of Solidity compilers has become critically important. However, Solidity compilers are bug-prone, with a recent study revealing that combinations of qualifiers in Solidity programs are the primary cause of compiler crashes, accounting for 40.5% of all historical crashes. While random program generators are widely used for compiler testing, they may be less effective at finding Solidity compiler bugs because they explore the unbounded space of possible programs rather than concentrating on the specific subspace related to bug-prone qualifiers. A promising idea for finding qualifier-related bugs is to bound the search space based on empirical evidence of where such bugs are likely to occur, specifically focusing test generation to target subspaces with rich combinations of qualifiers. To address this, we propose bounded exhaustive random program generation, a novel approach that dynamically bounds the search space, enhancing the likelihood of uncovering Solidity compiler bugs. Specifically, our method bounds the search space by generating valid program templates that abstract programs that use bug-prone qualifiers, and then uses these templates as a basis for compiler testing through exhaustive enumeration of suitable qualifiers. Mechanisms are devised to address technical challenges regarding validity and efficiency. We have implemented our novel generation approach in a new tool, Erwin. We have used Erwin to find and report 26 bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Among these, 23 were previously unknown, 18 have been confirmed, and 10 have been fixed. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection.
format Preprint
id arxiv_https___arxiv_org_abs_2503_20332
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Bounded Exhaustive Random Program Generation for Testing Solidity Compilers
Ma, Haoyang
Donaldson, Alastair F.
Shen, Qingchao
Tian, Yongqiang
Chen, Junjie
Cheung, Shing-Chi
Programming Languages
By July 2025, smart contracts collectively manage roughly $120 billion in assets. With Solidity remaining the dominant language for smart contract development, the correctness of Solidity compilers has become critically important. However, Solidity compilers are bug-prone, with a recent study revealing that combinations of qualifiers in Solidity programs are the primary cause of compiler crashes, accounting for 40.5% of all historical crashes. While random program generators are widely used for compiler testing, they may be less effective at finding Solidity compiler bugs because they explore the unbounded space of possible programs rather than concentrating on the specific subspace related to bug-prone qualifiers. A promising idea for finding qualifier-related bugs is to bound the search space based on empirical evidence of where such bugs are likely to occur, specifically focusing test generation to target subspaces with rich combinations of qualifiers. To address this, we propose bounded exhaustive random program generation, a novel approach that dynamically bounds the search space, enhancing the likelihood of uncovering Solidity compiler bugs. Specifically, our method bounds the search space by generating valid program templates that abstract programs that use bug-prone qualifiers, and then uses these templates as a basis for compiler testing through exhaustive enumeration of suitable qualifiers. Mechanisms are devised to address technical challenges regarding validity and efficiency. We have implemented our novel generation approach in a new tool, Erwin. We have used Erwin to find and report 26 bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Among these, 23 were previously unknown, 18 have been confirmed, and 10 have been fixed. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection.
title Bounded Exhaustive Random Program Generation for Testing Solidity Compilers
topic Programming Languages
url https://arxiv.org/abs/2503.20332