about summary refs log tree commit diff
path: root/qemu_mode/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'qemu_mode/README.md')
-rw-r--r--qemu_mode/README.md19
1 files changed, 19 insertions, 0 deletions
diff --git a/qemu_mode/README.md b/qemu_mode/README.md
index 610f6860..54fbf874 100644
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@@ -63,6 +63,25 @@ opened (e.g. way after command line parsing and config file loading, etc)
 which can be a huge speed improvement. Note that the specified address
 must be an address of a basic block.
 
+QEMU mode support also persistent mode for x86 and x86_64 targets.
+The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=`start addr`.
+In this variable you must specify the address of the function that
+have to be the body of the persistent loop.
+The code in this function must be stateless like in the LLVM persistent mode.
+The return address on stack is patched like in WinAFL in order to repeat the
+execution of such function.
+Another modality to execute the persistent loop is to specify also the
+AFL_QEMU_PERSISTENT_RET=`end addr` env variable.
+With this variable assigned, instead of patching the return address, the
+specified instruction is transformed to a jump towards `start addr`.
+Note that the format of the addresses in such variables is hex.
+
+Note that the base address of PIE binaries in QEMU user is 0x4000000000.
+
+Warning: in x86_64 parameters are passed via registers and so the target
+function of persistent mode cannot make use of arguments. An option to restore
+the state of each GPR each iteration of the loop is planned.
+
 ## 4) Notes on linking
 
 The feature is supported only on Linux. Supporting BSD may amount to porting
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-29 08:32:05 +0000