about summary refs log tree commit diff
path: root/qemu_mode/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'qemu_mode/README.md')
-rw-r--r--qemu_mode/README.md17
1 files changed, 6 insertions, 11 deletions
diff --git a/qemu_mode/README.md b/qemu_mode/README.md
index 3ebfc54c..92038737 100644
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@@ -13,8 +13,8 @@ afl-cc.
 The usual performance cost is 2-5x, which is considerably better than seen so
 far in experiments with tools such as DynamoRIO and PIN.
 
-The idea and much of the initial implementation comes from Andrew Griffiths. The
-actual implementation on current QEMU (shipped as qemuafl) is from Andrea
+The idea and much of the initial implementation comes from Andrew Griffiths.
+The actual implementation on current QEMU (shipped as qemuafl) is from Andrea
 Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.
 
 ## 2) How to use QEMU mode
@@ -30,17 +30,13 @@ glib2-devel).
 Once the binaries are compiled, you can leverage the QEMU tool by calling
 afl-fuzz and all the related utilities with `-Q` in the command line.
 
-Note that QEMU requires a generous memory limit to run; somewhere around 200 MB
-is a good starting point, but considerably more may be needed for more complex
-programs. The default `-m` limit will be automatically bumped up to 200 MB when
-specifying `-Q` to afl-fuzz; be careful when overriding this.
-
 In principle, if you set `CPU_TARGET` before calling ./build_qemu_support.sh,
 you should get a build capable of running non-native binaries (say, you can try
 `CPU_TARGET=arm`). This is also necessary for running 32-bit binaries on a
 64-bit system (`CPU_TARGET=i386`). If you're trying to run QEMU on a different
 architecture, you can also set `HOST` to the cross-compiler prefix to use (for
 example `HOST=arm-linux-gnueabi` to use arm-linux-gnueabi-gcc).
+Another common target is `CPU_TARGET=aarch64`.
 
 You can also compile statically-linked binaries by setting `STATIC=1`. This can
 be useful when compiling QEMU on a different system than the one you're planning
@@ -70,6 +66,8 @@ allows to move the forkserver to a different part, e.g., just before the file is
 opened (e.g., way after command line parsing and config file loading, etc.)
 which can be a huge speed improvement.
 
+For an example, see [README.deferred_initialization_example.md](README.deferred_initialization_example.md).
+
 ## 4) Persistent mode
 
 AFL++'s QEMU mode now supports also persistent mode for x86, x86_64, arm, and
@@ -219,9 +217,6 @@ program may be utilizing. In particular, it does not appear to have full support
 for AVX2/FMA3. Using binaries for older CPUs or recompiling them with
 `-march=core2`, can help.
 
-Beyond that, this is an early-stage mechanism, so fields reports are welcome.
-You can send them to <afl-users@googlegroups.com>.
-
 ## 14) Alternatives: static rewriting
 
 Statically rewriting binaries just once, instead of attempting to translate them
@@ -230,4 +225,4 @@ with peril, because it depends on being able to properly and fully model program
 control flow without actually executing each and every code path.
 
 For more information and hints, check out
-[docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md).
\ No newline at end of file
+[docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md).
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-28 05:53:37 +0000