5 files changed, 14 insertions, 15 deletions

diff --git a/include/config.h b/include/config.h
index 181285cd..9f7db04d 100644
--- a/include/config.h
+++ b/include/config.h
@@ -42,7 +42,7 @@
  *
  */
 
-/* Enable arithmetic compare solving for both path */
+/* Enable arithmetic compare solving for both branches */
 #define CMPLOG_SOLVE_ARITHMETIC
 
 /* Enable transform following (XOR/ADD/SUB manipulations, hex en/decoding) */
@@ -51,7 +51,7 @@
 /* if TRANSFORM is enabled, this additionally enables base64 en/decoding */
 // #define CMPLOG_SOLVE_TRANSFORM_BASE64
 
-/* If a redqueen pass finds more than one solve, try to combine them? */
+/* If a redqueen pass finds more than one solution, try to combine them? */
 #define CMPLOG_COMBINE
 
 /* Minimum % of the corpus to perform cmplog on. Default: 20% */
diff --git a/include/envs.h b/include/envs.h
index 4313e053..143979c6 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -131,6 +131,7 @@ static char *afl_environment_variables[] = {
     "AFL_QEMU_DEBUG_MAPS",
     "AFL_QEMU_DISABLE_CACHE",
     "AFL_QEMU_DRIVER_NO_HOOK",
+    "AFL_QEMU_FORCE_DFL",
     "AFL_QEMU_PERSISTENT_ADDR",
     "AFL_QEMU_PERSISTENT_CNT",
     "AFL_QEMU_PERSISTENT_GPR",
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 5fb715e2..dba4dc65 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1090,7 +1090,7 @@ __attribute__((constructor(0))) void __afl_auto_first(void) {
   if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
   u8 *ptr;
 
-  ptr = (u8 *)malloc(2097152);
+  ptr = (u8 *)malloc(MAP_INITIAL_SIZE);
 
   if (ptr && (ssize_t)ptr != -1) {
 
diff --git a/qemu_mode/README.md b/qemu_mode/README.md
index 9818846d..bc4c1d2c 100644
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@@ -17,7 +17,7 @@ The idea and much of the initial implementation comes from Andrew Griffiths.
 The actual implementation on current QEMU (shipped as qemuafl) is from
 Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.
 
-## 2) How to use
+## 2) How to use qemu_mode
 
 The feature is implemented with a patched QEMU. The simplest way
 to build it is to run ./build_qemu_support.sh. The script will download,
@@ -176,7 +176,12 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.
 
-## 12) Gotchas, feedback, bugs
+## 12) Other features
+
+With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal
+handlers of the target.
+
+## 13) Gotchas, feedback, bugs
 
 If you need to fix up checksums or do other cleanup on mutated test cases, see
 utils/custom_mutators/ for a viable solution.
@@ -197,19 +202,12 @@ with -march=core2, can help.
 Beyond that, this is an early-stage mechanism, so fields reports are welcome.
 You can send them to <afl-users@googlegroups.com>.
 
-## 13) Alternatives: static rewriting
+## 14) Alternatives: static rewriting
 
 Statically rewriting binaries just once, instead of attempting to translate
 them at run time, can be a faster alternative. That said, static rewriting is
 fraught with peril, because it depends on being able to properly and fully model
 program control flow without actually executing each and every code path.
 
-The best implementation is this one:
-
-  https://github.com/vanhauser-thc/afl-dyninst
-
-The issue however is Dyninst which is not rewriting the binaries so that
-they run stable. A lot of crashes happen, especially in C++ programs that
-use throw/catch. Try it first, and if it works for you be happy as it is
-2-3x as fast as qemu_mode, however usually not as fast as QEMU persistent mode.
-
+Checkout the "Fuzzing binary-only targets" section in our main README.md and
+the docs/binaryonly_fuzzing.md document for more information and hints.
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
-Subproject 9a258d5b7a38c045a6e385fcfcf80a746a60e55
+Subproject 213f3b27dd099ef352181c48cd75c0f20a73e3f