Overview

A watchpoint instruction is described in the MorFuzz evidence as an instruction inserted into generated instruction sequences at specific locations to expose the internal state of the device under test (DUT). Its stated purpose is to enhance observability during processor fuzzing. [C1]

Role in MorFuzz

MorFuzz generates template instructions at block granularity and uses manually constructed sequence patterns in each testing block to constrain instruction types and reach desired test points. Within those sequence patterns, MorFuzz inserts watchpoint instructions at selected positions so that internal DUT state can be observed. [C2]

The paper gives an example: after a floating-point instruction sequence, MorFuzz inserts instructions that read the floating-point exception flag CSR to check whether the exception flag is set correctly. [C3]

Relationship to stimulus templates

The watchpoint-instruction mechanism appears in the broader stimulus-template generation flow. Template instructions act as placeholders that preserve instruction-length information for the memory layout of the stimulus template, while other fields are initially dummy values later replaced by MorFuzz using runtime contextual information. The fuzzer also manages the control flow of the stimulus template through the fuzzing execution environment. [C4]

Practical purpose

Within the provided evidence, the practical purpose of watchpoint instructions is not to mutate instruction fields, but to make processor state visible at meaningful points in a generated sequence. This supports checking whether execution side effects, such as CSR exception flags after floating-point sequences, match the expected behavior. [C1][C3]