By July 2025, smart contracts have collectively overseen assets about $120 billion. Since Solidity is the leading language for developing smart contracts, ensuring the correctness of Solidity compilers is critically important. However, Solidity compilers are prone to bugs, with recent studies revealing that combinations of qualifiers in Solidity programs are the primary cause of compiler crashes, accounting for 40.48% of all historical crashes. While random program generators are widely used for compiler testing, they are less effective at finding Solidity compiler bugs because they explore the unbounded space of possible programs rather than concentrating on the specific subspace related to bug-prone qualifiers. A promising idea for finding qualifier-related bugs is to bound the search space based on empirical evidence of where such bugs are likely to occur, specifically focusing test generation to target subspaces with rich combinations of qualifiers. To address this, we propose bounded exhaustive random program generation, a novel approach that dynamically bounds the search space, enhancing the likelihood of uncovering Solidity compiler bugs. Specifically, our method bounds the search space by generating valid program templates that abstract those programs using bug-prone qualifiers and then applies these templates to guide program generation for compiler testing. Mechanisms are devised to address the technical challenges regarding validity and efficiency.

We have implemented our novel generation approach in a new tool, Erwin. We have used Erwin to find and report 26 bugs across two Solidity compilers, solc and solang, and one Solidity static analyzer, slither. Among these, 23 were previously unknown, 18 have been confirmed, and 10 have been fixed. Evaluation results demonstrate that Erwin outperforms state-of-the-art Solidity fuzzers in bug detection and complements developer-written test suites by covering 4,599 edges and 14,824 lines of the solc compiler that were missed by solc’s unit tests.