Erwin is an academic attempt on introducing bounded exhaustive instantiation
in random program generator to mitigate opportunism.
Different from Csmith-family tools that generate a test program in one go, Erwin separates the generation process into two sub-steps: 1) randomly generate a type/loc/vis-agnostic IR (i.e., a program without type, storage location, and visibility), and 2) conducts bounded exhaustive instantiation to instantiate the IR into a swarm of real-word test programs.
By masking out bug-related langauge features, such as type, storage location, and visibility in the IR, Erwin shrinks the search space into a highly bug-related subspace. This way, Erwin reduce opportunism in random program generations.
Erwin is still under development, any suggestion and collaboration is welcomed.
The simplest way is npm install @__haoyang__/erwin
it and npx erwin generate
with different generation flags. npx erwin generate
is the trivial generation, in which Erwin will not explore the search space of the IR, but perform just like Csmith, generate a test program in one go.
To utilize Erwin's features in program generation, you can use -m
to specify the bug-related features you want to mask in the IR, and use -max
to specify the maximum test programs you want to instantiation from the generated IR.
To directly use Erwin to fuzz the Solidity compiler, you can invoke --enable_test
.
Below is an example command to fuzz the Solidity compiler:
npx erwin generate -m type -d --enable_test --compiler_path=../solidity/build/solc/solc --refresh_folder --generation_rounds 10000 -max 100
For more flags, please refer to npx erwin generation -h
.
- ethereum/solidity#14719 (medium impact, confirmed, fixed, type) ✅
- ethereum/solidity#14720 (duplicate of 14719) 🤡
- ethereum/solidity#15223 (error handling) ✅
- ethereum/solidity#15236 (a probable duplicate, confirmed, fixed, type) ✅🤡
- ethereum/solidity#15219 (low effort, low impact, confirmed) ✅
- ethereum/solidity#15468 (low effort, low impact, confirmed, a probable duplicate) ✅🤡
- ethereum/solidity#15469 (smt) ✅
- ethereum/solidity#15469 (smt, two bugs in a thread) ✅
- ethereum/solidity#15483 (not a bug, but a workaround)
- ethereum/solidity#15525 (documentation error, workaround) ✅
- ethereum/solidity#15483 (documentation error) ✅
- ethereum/solidity#15565 (error handling)
- ethereum/solidity#15564 (error handling)
- ethereum/solidity#15567 (error handling)
- ethereum/solidity#15566 (documentation error)
- ethereum/solidity#15583 (error handling,low effort low impact must have eventually should report better error) ✅
- ethereum/solidity#15645 (ICE, duplicate) 🤡
- ethereum/solidity#15646 (error handling) ✅
- ethereum/solidity#15647 (ICE, smt) ✅
- ethereum/solidity#15649 (ICE)
- ethereum/solidity#15651 (ICE)
- crytic/slither#2619 (hang)
Besides bugs, Erwin only plays a role of examining the design of language features. Until now, Erwin has found the following features that may be confusing to Solidity users.
- Solidity has a weird type inference on
int_const
,int
, anduint
. Many intuitive operations on int literals and (u)int variables are forbidden.The second line raises an type error:int8 var21; false ? var21 : 62;
TypeError: True expression's type int8 does not match false expression's type uint8.
.
- Support byte and bytes (similar to array).
- Support contract inheritance.
- support global constant variable, functions, and structs
- support variable shallowing
- support function type
- Support inline assembly.
- Mutate Solidity programs.