From 820621baa27362efbee9be748f7a9c8f55bf7a54 Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Thu, 12 Sep 2019 19:54:35 +0200
Subject: qemu mode readme update

---
 qemu_mode/README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'qemu_mode')

diff --git a/qemu_mode/README.md b/qemu_mode/README.md
index 610f6860..afa2595a 100644
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@@ -63,6 +63,19 @@ opened (e.g. way after command line parsing and config file loading, etc)
 which can be a huge speed improvement. Note that the specified address
 must be an address of a basic block.
 
+QEMU mode support also persistent mode for x86 and x86_64 targets.
+The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=<start addr>.
+In this variable you must specify the address of the function that must be
+the body of the persistent loop.
+The return address on stack is patched like in WinAFL in order to repeat the
+execution of such function.
+Another modality to execute the persistent loop is to specify also the
+AFL_QEMU_PERSISTENT_RET=<end addr> env variable.
+With this variable assigned, instead of patching the return address, the
+specified instruction is transformed to a jump towards <start addr>.
+
+Note that the base address of PIE binaries in QEMU user is 0x4000000000.
+
 ## 4) Notes on linking
 
 The feature is supported only on Linux. Supporting BSD may amount to porting
-- 
cgit 1.4.1