js-confuser-vm 0.0.3 → 0.0.5

package/dist/runtime.js

@@ -12,8 +12,9 @@ function decodeBytecode(s) {
   var b = typeof Buffer !== "undefined" ? Buffer.from(s, "base64") : Uint8Array.from(atob(s), function (c) {
     return c.charCodeAt(0);
   });
-  var r = new Int32Array(b.length / 4);
-  for (var i = 0; i < r.length; i++) r[i] = b[i * 4] | b[i * 4 + 1] << 8 | b[i * 4 + 2] << 16 | b[i * 4 + 3] << 24;
+  // Each slot is a u16 stored as 2 little-endian bytes.
+  var r = new Uint16Array(b.length / 2);
+  for (var i = 0; i < r.length; i++) r[i] = b[i * 2] | b[i * 2 + 1] << 8;
   return r;
 }
 
@@ -85,22 +86,10 @@ VM.prototype.peek = function () {
   return this._stack[this._stack.length - 1];
 };
 
-// Read one instruction word from this.bytecode at `pc`, unwrapping the
-// encoding so callers always get a plain { op, operand } pair regardless
-// of whether ENCODE_BYTECODE is active.
-VM.prototype.readWord = function (pc) {
-  var word = this.bytecode[pc];
-  if (ENCODE_BYTECODE) {
-    return {
-      op: word & 0xff,
-      operand: word >>> 8
-    };
-  } else {
-    return {
-      op: word[0],
-      operand: word[1]
-    };
-  }
+// Consume the next slot from the flat bytecode stream and advance the PC.
+// Called by opcode handlers to read each of their operands in order.
+VM.prototype._operand = function () {
+  return this.bytecode[this._currentFrame._pc++];
 };
 VM.prototype.captureUpvalue = function (frame, slot) {
   // Reuse existing open upvalue for this frame+slot if one exists.
@@ -128,47 +117,48 @@ VM.prototype.run = function () {
   var now = () => {
     return performance.now();
   };
-  var t = now();
+  var lastTime = now();
   while (true) {
     var frame = this._currentFrame;
     var bc = this.bytecode;
     if (frame._pc >= bc.length) break;
-    var op, operand;
-    var word = this.readWord(frame._pc++);
-    op = word.op;
-    operand = word.operand;
+    var op = this.bytecode[frame._pc++];
 
-    // console.log(frame._pc - 1, op, operand);
+    // console.log(frame._pc - 1, op);
 
-    // Debugging protection
+    // Debugging protection: Detects debugger by checking for >1s pauses which can only happen from debugger; or extremely slow sync tasks
     if (TIMING_CHECKS) {
-      var t2 = now();
-      var isTamper = t2 - t > 1000;
-      t = t2;
+      var currentTime = now();
+      var isTamper = currentTime - lastTime > 1000;
+      lastTime = currentTime;
       if (isTamper) {
+        // Poison the bytecode
+        for (var i = 0; i < this.bytecode.length; i++) this.bytecode[i] = 0;
+        // Break the current state
         op = OP.POP;
+        this._stack = [];
       }
     }
     try {
       /* @SWITCH */
       switch (op) {
         case OP.LOAD_CONST:
-          this._push(this.constants[operand]);
+          this._push(this.constants[this._operand()]);
           break;
         case OP.LOAD_INT:
-          this._push(operand);
+          this._push(this._operand());
           break;
         case OP.LOAD_LOCAL:
-          this._push(frame.locals[operand]);
+          this._push(frame.locals[this._operand()]);
           break;
         case OP.STORE_LOCAL:
-          frame.locals[operand] = this._pop();
+          frame.locals[this._operand()] = this._pop();
           break;
         case OP.LOAD_GLOBAL:
-          this._push(this.globals[this.constants[operand]]);
+          this._push(this.globals[this.constants[this._operand()]]);
           break;
         case OP.STORE_GLOBAL:
-          this.globals[this.constants[operand]] = this._pop();
+          this.globals[this.constants[this._operand()]] = this._pop();
           break;
         case OP.GET_PROP:
           {
@@ -352,45 +342,50 @@ VM.prototype.run = function () {
             break;
           }
         case OP.JUMP:
-          frame._pc = operand;
+          frame._pc = this._operand();
           break;
         case OP.JUMP_IF_FALSE:
-          if (!this._pop()) frame._pc = operand;
-          break;
+          {
+            var target = this._operand();
+            if (!this._pop()) frame._pc = target;
+            break;
+          }
         case OP.JUMP_IF_TRUE_OR_POP:
-          // || semantics: if truthy, we're done - leave value, jump over RHS.
-          // If falsy, discard it and fall through to evaluate RHS.
-          if (this.peek()) {
-            frame._pc = operand;
-          } else {
-            this._pop();
+          {
+            // || semantics: if truthy, we're done - leave value, jump over RHS.
+            // If falsy, discard it and fall through to evaluate RHS.
+            var target = this._operand();
+            if (this.peek()) {
+              frame._pc = target;
+            } else {
+              this._pop();
+            }
+            break;
           }
-          break;
         case OP.JUMP_IF_FALSE_OR_POP:
-          // && semantics: if falsy, we're done - leave value, jump over RHS.
-          // If truthy, discard it and fall through to evaluate RHS.
-          if (!this.peek()) {
-            frame._pc = operand;
-          } else {
-            this._pop();
+          {
+            // && semantics: if falsy, we're done - leave value, jump over RHS.
+            // If truthy, discard it and fall through to evaluate RHS.
+            var target = this._operand();
+            if (!this.peek()) {
+              frame._pc = target;
+            } else {
+              this._pop();
+            }
+            break;
           }
-          break;
         case OP.MAKE_CLOSURE:
           {
-            // operand = startPc: absolute index of the function body's first instruction.
-            // Metadata is read from the value stack (pushed by _emitClosureMetadata).
-            // Stack layout when we arrive here (top is rightmost):
-            //   [isLocal_0, idx_0, ..., isLocal_N-1, idx_N-1, uvCount, localCount, paramCount]
-            var startPc = operand;
-            var paramCount = this._pop();
-            var localCount = this._pop();
-            var uvCount = this._pop();
-
-            // Upvalues were pushed in order 0..N-1 so we pop them in reverse.
+            // Inline operands: startPc, paramCount, localCount, uvCount,
+            //                  [isLocal_0, idx_0, isLocal_1, idx_1, ...]
+            var startPc = this._operand();
+            var paramCount = this._operand();
+            var localCount = this._operand();
+            var uvCount = this._operand();
             var uvDescs = new Array(uvCount);
-            for (var i = uvCount - 1; i >= 0; i--) {
-              var uvIndex = this._pop();
-              var isLocalRaw = this._pop();
+            for (var i = 0; i < uvCount; i++) {
+              var isLocalRaw = this._operand();
+              var uvIndex = this._operand();
               uvDescs[i] = {
                 isLocal: isLocalRaw,
                 _index: uvIndex
@@ -434,19 +429,15 @@ VM.prototype.run = function () {
             this._push(shell);
             break;
           }
-        case OP.DATA:
-          // Should never appear in compiled output (reserved opcode slot).
-          throw new Error("DATA opcode executed at pc " + (frame._pc - 1));
         case OP.LOAD_UPVALUE:
-          this._push(frame.closure.upvalues[operand]._read());
+          this._push(frame.closure.upvalues[this._operand()]._read());
           break;
         case OP.STORE_UPVALUE:
-          frame.closure.upvalues[operand]._write(this._pop());
+          frame.closure.upvalues[this._operand()]._write(this._pop());
           break;
         case OP.BUILD_ARRAY:
           {
-            // Pop \`operand\` values off the stack in reverse, assemble array.
-            var elems = this._stack.splice(this._stack.length - operand);
+            var elems = this._stack.splice(this._stack.length - this._operand());
             this._push(elems);
             break;
           }
@@ -454,7 +445,7 @@ VM.prototype.run = function () {
           {
             // Stack has: key0, val0, key1, val1 ... keyN, valN  (pushed left->right)
             // Pop all pairs and build the object.
-            var pairs = this._stack.splice(this._stack.length - operand * 2);
+            var pairs = this._stack.splice(this._stack.length - this._operand() * 2);
             var o = {};
             for (var i = 0; i < pairs.length; i += 2) {
               o[pairs[i]] = pairs[i + 1]; // key at even index, val at odd
@@ -495,7 +486,7 @@ VM.prototype.run = function () {
           }
         case OP.CALL:
           {
-            var args = this._stack.splice(this._stack.length - operand);
+            var args = this._stack.splice(this._stack.length - this._operand());
             var callee = this._pop();
             if (callee && callee[CLOSURE_SYM]) {
               // VM closure - run directly in this VM, no sub-VM overhead
@@ -514,7 +505,7 @@ VM.prototype.run = function () {
           }
         case OP.CALL_METHOD:
           {
-            var args = this._stack.splice(this._stack.length - operand);
+            var args = this._stack.splice(this._stack.length - this._operand());
             var callee = this._pop();
             var receiver = this._pop(); // left on stack by GET_PROP
             if (callee && callee[CLOSURE_SYM]) {
@@ -536,7 +527,7 @@ VM.prototype.run = function () {
           break;
         case OP.NEW:
           {
-            var args = this._stack.splice(this._stack.length - operand);
+            var args = this._stack.splice(this._stack.length - this._operand());
             var callee = this._pop();
             if (callee && callee[CLOSURE_SYM]) {
               // VM closure constructor - prototype is unified via shell.prototype = closure.prototype
@@ -612,11 +603,12 @@ VM.prototype.run = function () {
           }
         case OP.FOR_IN_NEXT:
           {
-            // operand = jump target for the done case.
-            // Pop the iterator; if exhausted jump to exit, otherwise push next key.
+            // Operand = jump target for the done case. Must be read before the
+            // conditional so the PC stays correctly aligned either way.
+            var target = this._operand();
             var iter = this._pop();
             if (iter.i >= iter._keys.length) {
-              frame._pc = operand;
+              frame._pc = target;
             } else {
               this._push(iter._keys[iter.i++]);
             }
@@ -624,11 +616,13 @@ VM.prototype.run = function () {
           }
         case OP.PATCH:
           {
-            // Writes at operand the bytecode[arg1:arg2]
-            var destPc = operand;
-            var instructions = this.bytecode.slice(this._pop(), this._pop());
-            for (var i = 0; i < instructions.length; i++) {
-              this.bytecode[destPc + i] = instructions[i];
+            // Inline operands: destPc, sliceStart, sliceEnd
+            // Copies bytecode[sliceStart..sliceEnd) flat u16 slots to destPc.
+            var destPc = this._operand();
+            var sliceStart = this._operand();
+            var sliceEnd = this._operand();
+            for (var pi = sliceStart; pi < sliceEnd; pi++) {
+              this.bytecode[destPc + (pi - sliceStart)] = this.bytecode[pi];
             }
             break;
           }
@@ -638,7 +632,7 @@ VM.prototype.run = function () {
             // Saves: catch PC (operand), current stack depth, current frame-stack depth.
             // If an exception is thrown before TRY_END fires, the VM jumps here.
             frame._handlerStack.push({
-              handlerPc: operand,
+              handlerPc: this._operand(),
               stackDepth: this._stack.length,
               frameStackDepth: this._frameStack.length
             });

package/dist/transforms/bytecode/macroOpcodes.js

@@ -0,0 +1,152 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot, U16_MAX } from "../utils/op-utils.js";
+
+// Opcodes that must not appear inside a macro window.
+// Jump ops: modifying frame._pc mid-execution causes the macro handler to
+//   run subsequent sub-bodies even after the jump already fired.
+// Frame-changing ops (CALL, CALL_METHOD, NEW, RETURN, THROW): push/pop call
+//   frames mid-macro, leaving the `frame` variable stale for later sub-bodies.
+// Variable-operand ops (MAKE_CLOSURE): the number of _operand() calls depends
+//   on uvCount at runtime, so a static handler cannot be generated.
+// Infrastructure ops (DATA, PATCH, TRY_SETUP, TRY_END, DEBUGGER):
+//   either illegal here or nonsensical to fold.
+
+// Scan bytecode for repeating instruction sequences and fold them into
+// macro opcodes.  Runs after selfModifying but before resolveLabels so
+// IR-ref operands (label/constant) are carried through transparently.
+//
+// Algorithm:
+//   1. Count every eligible window of length 2–5 by its op-code signature.
+//   2. Keep sequences that appear >= 2 times; sort by frequency then length.
+//   3. Assign unused opcode values (0–255, not already claimed by compiler.OP)
+//      to the most-frequent candidates and store in compiler.MACRO_OPS.
+//   4. Re-scan bytecode, replacing each matched sequence with a single
+//      multi-operand instruction:
+//        [macroOpCode, operands_of_instr_0..., operands_of_instr_1..., ...]
+//      The runtime macro handler inlines each sub-instruction body; those
+//      bodies call this._operand() themselves to consume the inline operands.
+export function macroOpcodes(bc, compiler) {
+  const originalOpToName = new Map();
+  for (const name in compiler.OP) {
+    const opVal = compiler.OP[name];
+    originalOpToName.set(opVal, name);
+  }
+  function isEligible(op, compiler) {
+    if (op === null) return false;
+    const {
+      OP,
+      JUMP_OPS
+    } = compiler;
+    if (JUMP_OPS.has(op)) return false;
+    const excluded = new Set([OP.RETURN, OP.PATCH, OP.TRY_SETUP, OP.TRY_END, OP.DEBUGGER, OP.CALL, OP.CALL_METHOD, OP.NEW, OP.THROW, OP.MAKE_CLOSURE // variable-length operands — cannot generate a static handler
+    ]);
+    return !excluded.has(op) && originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
+  }
+
+  // Collect every opcode value already in use so we can find free slots.
+  const usedOpcodes = new Set(Object.values(compiler.OP).filter(v => v !== undefined));
+  if (usedOpcodes.size > U16_MAX) return {
+    bytecode: bc
+  };
+
+  // ── Step 1: count window frequencies ──────────────────────────────────────
+  const freqMap = new Map();
+  for (let i = 0; i < bc.length; i++) {
+    for (let len = 2; len <= 5; len++) {
+      if (i + len > bc.length) break;
+      const ops = [];
+      let valid = true;
+      for (let j = 0; j < len; j++) {
+        const op = bc[i + j][0];
+        if (!isEligible(op, compiler)) {
+          valid = false;
+          break;
+        }
+        ops.push(op);
+      }
+      // If position (i+j) is ineligible, longer windows from i are also invalid.
+      if (!valid) break;
+      const key = ops.join(",");
+      const entry = freqMap.get(key);
+      if (entry) {
+        entry.count++;
+      } else {
+        freqMap.set(key, {
+          ops,
+          count: 1
+        });
+      }
+    }
+  }
+
+  // ── Step 2: keep repeated candidates, prioritise by frequency then length ─
+  const candidates = Array.from(freqMap.values()).filter(e => e.count >= 2).sort((a, b) => b.count - a.count || b.ops.length - a.ops.length);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 3: assign free opcode slots to the best candidates ───────────────
+  for (let i = 0; i < candidates.length; i++) {
+    const macroOp = nextFreeSlot(usedOpcodes);
+    if (macroOp === -1) break;
+    const ops = candidates[i].ops;
+    compiler.MACRO_OPS[macroOp] = ops;
+    // Register a combined name so OP_NAME and comment generation both work.
+    let combinedName = ops.map(v => compiler.OP_NAME[v] ?? `OP_${v}`).join(",");
+    compiler.OP_NAME[macroOp] = combinedName;
+  }
+
+  // ── Step 4: build signature → macro opcode lookup ─────────────────────────
+  const sigToMacro = new Map();
+  for (const [macroOpStr, ops] of Object.entries(compiler.MACRO_OPS)) {
+    sigToMacro.set(ops.join(","), Number(macroOpStr));
+  }
+
+  // ── Step 5: replace sequences with a single multi-operand macro instruction ─
+  // Emit [macroOpCode, ...all operands from all constituent instructions].
+  // The runtime handler inlines each sub-instruction body; those bodies call
+  // this._operand() themselves to consume the operands in order.
+  const result = [];
+  let i = 0;
+  while (i < bc.length) {
+    let matched = false;
+    for (let len = 5; len >= 2; len--) {
+      if (i + len > bc.length) continue;
+      const instructions = [];
+      let valid = true;
+      for (let j = 0; j < len; j++) {
+        const instr = bc[i + j];
+        const op = instr[0];
+        if (!isEligible(op, compiler)) {
+          valid = false;
+          break;
+        }
+        instructions.push(instr);
+      }
+      if (!valid) continue;
+      const key = instructions.map(instr => instr[0]).join(",");
+      if (!sigToMacro.has(key)) continue;
+      const macroOpCode = sigToMacro.get(key);
+
+      // Collect all operands from every constituent instruction, in order.
+      // Each instruction contributes instr.slice(1) — zero or more operands.
+      const allOperands = [];
+      for (let j = 0; j < len; j++) {
+        allOperands.push(...bc[i + j].slice(1));
+      }
+      const newInstr = [macroOpCode, ...allOperands];
+      newInstr[SOURCE_NODE_SYM] = instructions[0][SOURCE_NODE_SYM];
+      result.push(newInstr);
+      i += len;
+      matched = true;
+      break;
+    }
+    if (!matched) {
+      result.push(bc[i]);
+      i++;
+    }
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/{resolveContants.js → bytecode/resolveContants.js}

@@ -1,25 +1,35 @@
-import { SOURCE_NODE_SYM } from "../compiler.js";
+import { SOURCE_NODE_SYM } from "../../compiler.js";
 
 // Resolve all {type:"constant", value} operands to integer indices into the
 // constants pool.  Returns both the resolved bytecode and the constants array
 // so the Serializer can use it for comment generation and output.
+// Constant refs may appear at any operand position (index 1, 2, 3, …).
 export function resolveConstants(bc) {
   const constants = [];
   const constantsMap = new Map();
-  function intern(value) {
+  function intern(operand) {
+    const operandAsObject = typeof operand === "object" && operand ? operand : {};
+    const value = operand.value;
     let idx = constantsMap.get(value);
     if (typeof idx !== "number") {
       idx = constants.length;
       constantsMap.set(value, idx);
       constants.push(value);
     }
-    return idx;
+    const newOperand = {
+      ...operandAsObject,
+      type: "number",
+      resolvedValue: idx
+    };
+    return newOperand;
   }
   const resolved = [];
   for (const instr of bc) {
-    const [op, operand] = instr;
-    if (operand !== undefined && operand !== null && typeof operand === "object" && operand.type === "constant") {
-      const newInstr = [op, intern(operand.value)];
+    const [op, ...operands] = instr;
+    const hasConstant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
+    if (hasConstant) {
+      const newOperands = operands.map(operand => operand?.type === "constant" ? intern(operand) : operand);
+      const newInstr = [op, ...newOperands];
       newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
       resolved.push(newInstr);
     } else {

package/dist/transforms/bytecode/resolveLabels.js

@@ -0,0 +1,80 @@
+// --- Label IR ---
+// During compilation, jump targets are symbolic labels instead of hard-coded
+// PC numbers.  Two IR "pseudo operands" carry the label information:
+//
+//   defineLabel operand  : [null, {type:"defineLabel", label:"FN_ENTRY_1"}]
+//     Marks a position in the bytecode array.
+//     resolveLabels() strips these out entirely.
+//
+//   label ref operand      : [OP.JUMP, {type:"label", label:"FN_ENTRY_1"}]
+//     Used as the operand of any jump instruction. resolveLabels() replaces
+//     it with the integer PC that the corresponding defineLabel resolves to.
+//
+// The output bytecode is still a nested array of instructions.
+// Flattening (one u16 slot per op, one per operand) happens in the Serializer.
+// PC values computed here reflect the FLAT slot index so that jump targets,
+// startPc, and LOAD_INT label operands are all correct after flattening.
+
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+
+// Resolve symbolic labels to absolute flat-PC indices within a bytecode array.
+// defineLabel pseudo-instructions are stripped; label-ref operands become ints.
+// Each instruction [op, ...operands] occupies (1 + operands.length) flat slots,
+// so realPc advances by instr.length for every non-pseudo instruction.
+export function resolveLabels(bc, compiler) {
+  // Pass 1 – walk the array and record each label's flat PC, counting
+  // real instructions by their full flat width (1 op + N operands).
+  const labelToPc = new Map();
+  let realPc = 0;
+  for (const instr of bc) {
+    const op = instr[0];
+    const operand = instr[1];
+    if (op === null && operand !== null && typeof operand === "object" && operand.type === "defineLabel") {
+      labelToPc.set(operand.label, realPc);
+    } else {
+      // Each instruction occupies 1 slot for the opcode + 1 per operand.
+      // IMPORTANT: 'placeholder' operands are not counted
+      realPc += instr.filter(x => x?.placeholder !== true).length;
+    }
+  }
+
+  // Pass 2 – build the resolved instruction list.
+  // Label refs may appear at any operand position, so scan all of them.
+  const resolved = [];
+  for (const instr of bc) {
+    const [op, ...operands] = instr;
+
+    // Strip defineLabel pseudo-ops.
+    if (op === null && typeof operands[0] === "object" && operands[0]?.type === "defineLabel") {
+      continue;
+    }
+
+    // Replace label-ref operands with their resolved flat PC (any position).
+    const newOperands = operands.map(operand => {
+      if (operand !== undefined && operand !== null && typeof operand === "object" && operand.type === "label") {
+        const pc = labelToPc.get(operand.label);
+        if (pc === undefined) throw new Error(`Undefined label: ${operand.label}`);
+        var operandAsObject = typeof operand === "object" && operand ? operand : {};
+        const newOperand = {
+          ...operandAsObject,
+          // Preverse original operand properties
+          type: "number",
+          resolvedValue: pc + (operand.offset ?? 0)
+        };
+        return newOperand;
+      }
+      return operand;
+    });
+    const newInstr = [op, ...newOperands];
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    resolved.push(newInstr);
+  }
+
+  // Patch each function descriptor's startPc now that labels are resolved.
+  for (const desc of compiler.fnDescriptors) {
+    desc.startPc = labelToPc.get(desc.startLabel) ?? labelToPc.get(desc.entryLabel);
+  }
+  return {
+    bytecode: resolved
+  };
+}

package/dist/transforms/{selfModifying.js → bytecode/selfModifying.js}

@@ -1,21 +1,22 @@
+import { choice } from "../utils/random-utils.js";
 export function selfModifying(bc, compiler) {
   // Walk the bytecode looking for "defineLabel" pseudo-ops, which start basic
   // blocks. For each block we collect the body (instructions between the label
   // and the next label/jump terminator), move it to the end of the bytecode
   // under a fresh "patch_LXX" label, and replace it in-place with:
   //
-  //   defineLabel ("originalLabel")         ← kept as-is (pseudo-op)
-  //   LOAD_INT  { label: patch_LXX, offset: N }   ← push slice-end PC
-  //   LOAD_INT  { label: patch_LXX }               ← push slice-start PC
-  //   PATCH     { label: originalLabel, offset: 3 } ← destPc = L+3
-  //   LOAD_INT 0  × N                              ← N placeholder instructions
+  //   defineLabel ("originalLabel")               ← kept as-is (pseudo-op)
+  //   PATCH  destPc  sliceStart  sliceEnd          ← 4 flat slots total
+  //   Garbage Opcodes  × bodyFlatSize                         ← placeholder slots
   //
-  // PATCH pops (start, end) from the stack and copies bytecode[start..end) to
-  // bytecode[destPc..]. Since destPc = L+3 = first placeholder, the body is
-  // written exactly over the placeholder region on the first call.  Subsequent
-  // calls are idempotent (same bytes written again).  Execution falls through
-  // from PATCH into the freshly-patched body at L+3, then continues naturally
-  // to whatever terminator (JUMP/RETURN) follows at L+3+N.
+  // PATCH reads three inline operands via _operand():
+  //   destPc     = originalLabel + 4  (first slot after PATCH's own 4 slots)
+  //   sliceStart = patchLabel          (flat PC of appended body)
+  //   sliceEnd   = patchLabel + bodyFlatSize
+  //
+  // On first execution PATCH copies bytecode[sliceStart..sliceEnd) over the
+  // placeholder region starting at destPc.  Execution then falls through into
+  // the freshly-patched body.  Subsequent calls are idempotent.
 
   const {
     OP,
@@ -45,9 +46,8 @@ export function selfModifying(bc, compiler) {
           break;
         }
 
-        // Jump instructions, RETURN, and DATA (function header words) all
-        // terminate the body without being included in it.
-        if (nextOp !== null && (JUMP_OPS.has(nextOp) || nextOp === OP.RETURN || nextOp === OP.DATA)) {
+        // Jump instructions, RETURN all terminate the body.
+        if (nextOp !== null && (JUMP_OPS.has(nextOp) || nextOp === OP.RETURN)) {
           break;
         }
         j++;
@@ -60,31 +60,31 @@ export function selfModifying(bc, compiler) {
       }
       const patchLabel = `patch_${originalLabel}_${patchCount++}`;
 
-      // ── Stub (3 real instructions) ──────────────────────────────────────
-      // LOAD_INT pushes the end-index of the body slice (patchLabel_pc + N).
-      // LOAD_INT pushes the start-index (patchLabel_pc).
-      // Stack before PATCH: [end (bottom), start (top)].
-      // PATCH: slice(pop()=start, pop()=end) copies the body to destPc = L+3.
-      result.push([OP.LOAD_INT, {
+      // Flat size of the body (each instruction occupies instr.length slots).
+      const bodyFlatSize = body.reduce((acc, instr) => acc + instr.filter(x => x?.placeholder !== true).length, 0);
+
+      // ── PATCH instruction (4 flat slots: opcode + 3 operands) ───────────
+      //   destPc     = originalLabel + 4  (slot right after PATCH's 4 slots)
+      //   sliceStart = patchLabel
+      //   sliceEnd   = patchLabel + bodyFlatSize
+      result.push([OP.PATCH, {
         type: "label",
-        label: patchLabel,
-        offset: N
-      }]);
-      result.push([OP.LOAD_INT, {
+        label: originalLabel,
+        offset: 4
+      }, {
         type: "label",
         label: patchLabel
-      }]);
-      result.push([OP.PATCH, {
+      }, {
         type: "label",
-        label: originalLabel,
-        offset: 3
+        label: patchLabel,
+        offset: bodyFlatSize
       }]);
 
-      // ── Placeholders (N instructions) ───────────────────────────────────
-      // These are overwritten by PATCH on the first execution.  They never
-      // execute as LOAD_INT 0 in a correct run.
-      for (let p = 0; p < N; p++) {
-        result.push([OP.LOAD_INT, 0]);
+      // ── Placeholders (Garbage Opcodes * bodyFlatSize, each 1 flat slot) ────────────
+      // These are overwritten by PATCH on first execution.
+      for (let p = 0; p < bodyFlatSize; p++) {
+        const randomOpcode = choice(Object.values(compiler.OP));
+        result.push([+randomOpcode]);
       }
 
       // ── Append real body at end ─────────────────────────────────────────