about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--qemu_mode/README.qemu20
1 files changed, 15 insertions, 5 deletions
diff --git a/qemu_mode/README.qemu b/qemu_mode/README.qemu
index 754c0259..cd8559ad 100644
--- a/qemu_mode/README.qemu
+++ b/qemu_mode/README.qemu
@@ -16,14 +16,16 @@ with afl-gcc.
 The usual performance cost is 2-5x, which is considerably better than
 seen so far in experiments with tools such as DynamoRIO and PIN.
 
-The idea and much of the implementation comes from Andrew Griffiths.
+The idea and much of the initial implementation comes from Andrew Griffiths.
+The actual implementation on QEMU 3 (shipped with afl++) is from
+Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.
 
 2) How to use
 -------------
 
-The feature is implemented with a fairly simple patch to QEMU 2.10.0. The
-simplest way to build it is to run ./build_qemu_support.sh. The script will
-download, configure, and compile the QEMU binary for you.
+The feature is implemented with a patch to QEMU 3.1.0. The simplest way
+to build it is to run ./build_qemu_support.sh. The script will download,
+configure, and compile the QEMU binary for you.
 
 QEMU is a big project, so this will take a while, and you may have to
 resolve a couple of dependencies (most notably, you will definitely need
@@ -53,10 +55,18 @@ There is ./libcompcov/ which implements laf-intel (splitting memcmp,
 strncmp, etc. to make these conditions easier solvable by afl-fuzz).
 Highly recommended.
 
+The option that enables QEMU CompareCoverage is QEMU_COMPCOV_LEVEL.
+QEMU_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
+values / read-only memory. QEMU_COMPCOV_LEVEL=2 instruments all
+comparison instructions and memory comparison functions when libcompcov
+is preloaded. Comparison instructions are currently instrumented only
+on the x86 and x86_64 targets.
+
 Another option is the environment variable AFL_ENTRYPOINT which allows
 move the forkserver to a different part, e.g. just before the file is
 opened (e.g. way after command line parsing and config file loading, etc)
-which can be a huge speed improvement.
+which can be a huge speed improvement. Note that the specified address
+must be an address of a basic block.
 
 4) Notes on linking
 -------------------
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-23 00:47:34 +0000