Bounded Exhaustive Random Program Generation for Testing Solidity Compilers and Analyzers

Random program generators often exhibit opportunism: they generate programs without a specific focus within the vast search space defined by the programming language. This opportunistic behavior hinders the effective generation of programs that trigger bugs in compilers and analyzers, even when such programs closely resemble those generated. To address this limitation, we propose bounded exhaustive random program generation, a novel method that focuses the search space of program generation with the aim of more quickly identifying bug-triggering programs. Our approach comprises two stages: 1) generating random program templates, which are incomplete test programs containing bug-related placeholders, and 2) conducting a bounded exhaustive enumeration of valid values for each placeholder within these templates. To ensure efficiency, we maintain a solvable constraint set during the template generation phase and then methodically explore all possible values of placeholders within these constraints during the exhaustive enumeration phase. We have implemented this approach for Solidity, a popular smart contract language for the Ethereum blockchain, in a tool named Erwin. Based on a recent study of Solidity compiler bugs, the placeholders used by Erwin relate to language features commonly associated with compiler bugs. Erwin has successfully identified 23 previously unknown bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection and complements developer-written test suites by covering 4,582 edges and 14,737 lines of the solc compiler that were missed by solc unit tests.