--- qemu-2.10.0-clean/accel/tcg/cpu-exec.c	2017-08-30 18:50:40.000000000 +0200
+++ qemu-2.10.0/accel/tcg/cpu-exec.c	2018-09-22 13:21:23.612068407 +0200
@@ -36,6 +36,8 @@
 #include "sysemu/cpus.h"
 #include "sysemu/replay.h"
 
+#include "../patches/afl-qemu-cpu-inl.h"
+
 /* -icount align implementation. */
 
 typedef struct SyncClocks {
@@ -144,6 +146,8 @@
     int tb_exit;
     uint8_t *tb_ptr = itb->tc_ptr;
 
+    AFL_QEMU_CPU_SNIPPET2;
+
     qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
                            "Trace %p [%d: " TARGET_FMT_lx "] %s\n",
                            itb->tc_ptr, cpu->cpu_index, itb->pc,
@@ -337,7 +341,7 @@
     TranslationBlock *tb;
     target_ulong cs_base, pc;
     uint32_t flags;
-    bool have_tb_lock = false;
+    bool have_tb_lock = false, was_translated = false, was_chained = false;
 
     /* we record a subset of the CPU state. It will
        always be the same before a given translated block
@@ -365,6 +369,7 @@
             if (!tb) {
                 /* if no translated code available, then translate it now */
                 tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
+                was_translated = true;
             }
 
             mmap_unlock();
@@ -390,11 +395,16 @@
         }
         if (!tb->invalid) {
             tb_add_jump(last_tb, tb_exit, tb);
+            was_chained = true;
         }
     }
     if (have_tb_lock) {
         tb_unlock();
     }
+    if (was_translated || was_chained) {
+        afl_request_tsl(pc, cs_base, flags, was_chained ? last_tb : NULL,
+                        tb_exit);
+    }
     return tb;
 }