js-confuser-vm 0.0.4 → 0.0.6

package/dist/transforms/bytecode/aliasedOpcodes.js

@@ -0,0 +1,140 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.js";
+import { shuffle } from "../../utils/random-utils.js";
+
+// Opcodes that must not be aliased.
+// Variable-length operand opcodes cannot be statically aliased since the
+// number of this._operand() calls varies at runtime.
+// Infrastructure opcodes (PATCH, TRY_SETUP, TRY_END, DEBUGGER) are excluded
+// because aliasing them would interfere with self-modifying bytecode and
+// exception-handling machinery.
+const DISALLOWED_OP_NAMES = new Set(["MAKE_CLOSURE", "BUILD_ARRAY", "BUILD_OBJECT", "CALL", "CALL_METHOD", "NEW", "PATCH", "TRY_SETUP", "TRY_END", "DEBUGGER"]);
+
+// Creates aliased opcodes: duplicate handlers for commonly-used opcodes,
+// optionally with a permuted operand read order in the bytecode stream.
+//
+// For each aliased op, we record an `order` permutation of length `arity`.
+// order[i] = j means: bytecode slot i holds what was originally operand j.
+//
+// Example: LOAD_GLOBAL [dst, nameIdx] with order=[1,0]:
+//   Bytecode stores:  [ALIAS_OP, nameIdx, dst]
+//   Handler reads:    _unsortedOperands = [nameIdx, dst]
+//                     _operands = [_unsortedOperands[1], _unsortedOperands[0]]
+//                               = [dst, nameIdx]   ← original order restored
+//
+// Runs LAST among bytecode transforms (after selfModifying), before resolveLabels.
+export function aliasedOpcodes(bc, compiler) {
+  // Build a map of base opcode value → name, excluding disallowed ops
+  const baseOpValueToName = new Map();
+  for (const [name, val] of Object.entries(compiler.OP)) {
+    if (DISALLOWED_OP_NAMES.has(name)) continue;
+    baseOpValueToName.set(val, name);
+  }
+
+  // Collect all currently used opcode slots (base + any dynamically assigned)
+  const usedOpcodes = new Set(Object.keys(compiler.OP_NAME).map(k => parseInt(k, 10)).filter(v => !isNaN(v)));
+  if (usedOpcodes.size > U16_MAX) return {
+    bytecode: bc
+  };
+
+  // ── Step 1: count frequency and determine arity for each eligible base opcode ─
+  // We scan the actual post-transform bytecode so frequency reflects what's
+  // really left (specialized/macro ops already consumed their share).
+  const opStats = new Map();
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !baseOpValueToName.has(op)) continue;
+    const arity = instr.length - 1;
+    if (arity < 1) continue; // 0-operand opcodes have nothing to permute
+
+    const existing = opStats.get(op);
+    if (!existing) {
+      opStats.set(op, {
+        freq: 1,
+        arity
+      });
+    } else {
+      if (existing.arity !== arity) {
+        // Inconsistent arity → variable-length; skip
+        existing.arity = null;
+      }
+      existing.freq++;
+    }
+  }
+
+  // ── Step 2: sort by frequency descending, keep only consistent-arity ops ────
+  const candidates = Array.from(opStats.entries()).filter(([, s]) => s.arity !== null).sort(([, a], [, b]) => b.freq - a.freq);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 3: assign free slots, build order permutations ─────────────────────
+  // aliasMap: originalOp → aliasOp (only the winning alias per original op)
+  const aliasMap = new Map();
+  const aliasedOps = {};
+  for (const [originalOp, stats] of candidates) {
+    const aliasOp = nextFreeSlot(usedOpcodes);
+    if (aliasOp === -1) break;
+    const arity = stats.arity;
+
+    // Build a permutation of [0 .. arity-1].
+    // For arity >= 2: shuffle until we get a non-identity permutation so the
+    // operand order is actually different (makes the alias more confusing).
+    // For arity == 1: only one permutation exists ([0]); still useful as a clone.
+    let order;
+    if (arity >= 2) {
+      const identity = Array.from({
+        length: arity
+      }, (_, i) => i);
+      let attempts = 0;
+      do {
+        order = shuffle([...identity]);
+        attempts++;
+      } while (attempts < 20 && order.every((v, i) => v === i));
+    } else {
+      order = [0];
+    }
+    aliasMap.set(originalOp, aliasOp);
+    aliasedOps[aliasOp] = {
+      originalOp,
+      order
+    };
+    const originalName = compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
+    compiler.OP_NAME[aliasOp] = `ALIAS_${originalName}_${order.join("_")}`;
+  }
+  compiler.ALIASED_OPS = aliasedOps;
+  if (aliasMap.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 4: rewrite bytecode ─────────────────────────────────────────────────
+  const result = [];
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !aliasMap.has(op)) {
+      result.push(instr);
+      continue;
+    }
+    const aliasOp = aliasMap.get(op);
+    const {
+      order
+    } = aliasedOps[aliasOp];
+    const originalOperands = instr.slice(1);
+
+    // Guard: if arity changed (shouldn't happen after the consistency check),
+    // fall back to the original instruction.
+    if (originalOperands.length !== order.length) {
+      result.push(instr);
+      continue;
+    }
+
+    // Rearrange operands: new slot i receives original operand order[i].
+    const newOperands = order.map(i => originalOperands[i]);
+    const newInstr = [aliasOp, ...newOperands];
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    result.push(newInstr);
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/bytecode/concealConstants.js

@@ -0,0 +1,31 @@
+export function concealConstants(bytecode, compiler) {
+  const newBytecode = [];
+  for (const instr of bytecode) {
+    const [op, ...operands] = instr;
+    const hasContant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
+    if (!hasContant) {
+      newBytecode.push(instr);
+      continue;
+    }
+    const newOperands = [];
+    for (const operand of operands) {
+      if (operand?.type === "constant") {
+        const tsOperand = operand;
+        newOperands.push(operand);
+        newOperands.push({
+          type: "constant",
+          value: tsOperand.value,
+          key: true
+        });
+      } else {
+        newOperands.push(operand);
+      }
+    }
+    instr.length = 0;
+    instr.push(op, ...newOperands);
+    newBytecode.push(instr);
+  }
+  return {
+    bytecode: newBytecode
+  };
+}

package/dist/transforms/bytecode/macroOpcodes.js

@@ -0,0 +1,164 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.js";
+
+// Opcodes that must not appear in a non-terminal position inside a macro window.
+// Jump ops: modifying frame._pc mid-execution causes the macro handler to
+//   run subsequent sub-bodies even after the jump already fired.
+// Frame-changing ops (CALL, CALL_METHOD, NEW, RETURN, THROW): push/pop call
+//   frames mid-macro, leaving the `frame` variable stale for later sub-bodies.
+// When one of these is the LAST instruction in the macro sequence there are no
+//   following sub-bodies, so editing _pc or the call frame is safe.
+// Variable-operand ops (MAKE_CLOSURE): the number of _operand() calls depends
+//   on uvCount at runtime, so a static handler cannot be generated.
+// Infrastructure ops (PATCH, TRY_SETUP, TRY_END, DEBUGGER):
+//   either illegal here or nonsensical to fold.
+
+// Scan bytecode for repeating instruction sequences and fold them into
+// macro opcodes.  Runs after selfModifying but before resolveLabels so
+// IR-ref operands (label/constant) are carried through transparently.
+//
+// Algorithm:
+//   1. Count every eligible window of length 2–5 by its op-code signature.
+//   2. Keep sequences that appear >= 2 times; sort by frequency then length.
+//   3. Assign unused opcode values (0–255, not already claimed by compiler.OP)
+//      to the most-frequent candidates and store in compiler.MACRO_OPS.
+//   4. Re-scan bytecode, replacing each matched sequence with a single
+//      multi-operand instruction:
+//        [macroOpCode, operands_of_instr_0..., operands_of_instr_1..., ...]
+//      The runtime macro handler inlines each sub-instruction body; those
+//      bodies call this._operand() themselves to consume the inline operands.
+export function macroOpcodes(bc, compiler) {
+  const originalOpToName = new Map();
+  for (const name in compiler.OP) {
+    const opVal = compiler.OP[name];
+    originalOpToName.set(opVal, name);
+  }
+  function isEligible(op, compiler, isLast = false) {
+    if (op === null) return false;
+    const {
+      OP,
+      JUMP_OPS
+    } = compiler;
+    // Infrastructure and variable-length ops are never eligible.
+    const alwaysExcluded = new Set([OP.PATCH, OP.TRY_SETUP, OP.TRY_END, OP.DEBUGGER, OP.MAKE_CLOSURE // variable-length operands — cannot generate a static handler
+    ]);
+    if (alwaysExcluded.has(op)) return false;
+    // Jump and frame-changing ops are only eligible as the terminal instruction.
+    if (!isLast) {
+      if (JUMP_OPS.has(op)) return false;
+      const nonTerminalExcluded = new Set([OP.RETURN, OP.CALL, OP.CALL_METHOD, OP.NEW, OP.THROW]);
+      if (nonTerminalExcluded.has(op)) return false;
+    }
+    return originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
+  }
+
+  // Collect every opcode value already in use so we can find free slots.
+  const usedOpcodes = new Set(Object.values(compiler.OP).filter(v => v !== undefined));
+  if (usedOpcodes.size > U16_MAX) return {
+    bytecode: bc
+  };
+
+  // ── Step 1: count window frequencies ──────────────────────────────────────
+  const freqMap = new Map();
+  for (let i = 0; i < bc.length; i++) {
+    for (let len = 2; len <= 5; len++) {
+      if (i + len > bc.length) break;
+      const ops = [];
+      let valid = true;
+      for (let j = 0; j < len; j++) {
+        const op = bc[i + j][0];
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
+          valid = false;
+          break;
+        }
+        ops.push(op);
+      }
+      // If position (i+j) is ineligible even as a terminal, longer windows from
+      // i are also invalid (it would be non-terminal there too).
+      if (!valid) break;
+      const key = ops.join(",");
+      const entry = freqMap.get(key);
+      if (entry) {
+        entry.count++;
+      } else {
+        freqMap.set(key, {
+          ops,
+          count: 1
+        });
+      }
+    }
+  }
+
+  // ── Step 2: keep repeated candidates, prioritise by frequency then length ─
+  const candidates = Array.from(freqMap.values()).filter(e => e.count >= 2).sort((a, b) => b.count - a.count || b.ops.length - a.ops.length);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 3: assign free opcode slots to the best candidates ───────────────
+  for (let i = 0; i < candidates.length; i++) {
+    const macroOp = nextFreeSlot(usedOpcodes);
+    if (macroOp === -1) break;
+    const ops = candidates[i].ops;
+    compiler.MACRO_OPS[macroOp] = ops;
+    // Register a combined name so OP_NAME and comment generation both work.
+    let combinedName = ops.map(v => compiler.OP_NAME[v] ?? `OP_${v}`).join(",");
+    compiler.OP_NAME[macroOp] = combinedName;
+  }
+
+  // ── Step 4: build signature → macro opcode lookup ─────────────────────────
+  const sigToMacro = new Map();
+  for (const [macroOpStr, ops] of Object.entries(compiler.MACRO_OPS)) {
+    sigToMacro.set(ops.join(","), Number(macroOpStr));
+  }
+
+  // ── Step 5: replace sequences with a single multi-operand macro instruction ─
+  // Emit [macroOpCode, ...all operands from all constituent instructions].
+  // The runtime handler inlines each sub-instruction body; those bodies call
+  // this._operand() themselves to consume the operands in order.
+  const result = [];
+  let i = 0;
+  while (i < bc.length) {
+    let matched = false;
+    for (let len = 5; len >= 2; len--) {
+      if (i + len > bc.length) continue;
+      const instructions = [];
+      let valid = true;
+      for (let j = 0; j < len; j++) {
+        const instr = bc[i + j];
+        const op = instr[0];
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
+          valid = false;
+          break;
+        }
+        instructions.push(instr);
+      }
+      if (!valid) continue;
+      const key = instructions.map(instr => instr[0]).join(",");
+      if (!sigToMacro.has(key)) continue;
+      const macroOpCode = sigToMacro.get(key);
+
+      // Collect all operands from every constituent instruction, in order.
+      // Each instruction contributes instr.slice(1) — zero or more operands.
+      const allOperands = [];
+      for (let j = 0; j < len; j++) {
+        allOperands.push(...bc[i + j].slice(1));
+      }
+      const newInstr = [macroOpCode, ...allOperands];
+      newInstr[SOURCE_NODE_SYM] = instructions[0][SOURCE_NODE_SYM];
+      result.push(newInstr);
+      i += len;
+      matched = true;
+      break;
+    }
+    if (!matched) {
+      result.push(bc[i]);
+      i++;
+    }
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/bytecode/resolveContants.js

@@ -0,0 +1,106 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U16_MAX } from "../../utils/op-utils.js";
+
+// Encrypt a string with a position-dependent XOR key (u16) then base64-encode.
+//
+// Each char code is XOR'd with ((key + i) & 0xFFFF), producing a u16 value.
+// The u16 values are packed as little-endian byte pairs (matching decodeBytecode),
+// then base64-encoded so the stored constant is always safe ASCII — no raw Unicode
+// surrogates, control chars, or quote chars that would break JS string literals.
+function concealString(s, key) {
+  const bytes = new Uint8Array(s.length * 2);
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i) ^ key + i & 0xffff;
+    bytes[i * 2] = code & 0xff;
+    bytes[i * 2 + 1] = code >> 8 & 0xff;
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// Resolve all {type:"constant", value} operands to a PAIR of integer operands:
+//   [constPoolIndex, concealKey]
+//
+// constPoolIndex — index into the constants array (as before).
+// concealKey     — XOR key used to conceal this constant.
+//                  0 means no concealment (concealConstants is off, or the
+//                  value type is not concealable: null, undefined, bool, float…).
+//
+// The constants array stores the CONCEALED value when key != 0.
+// The runtime's _readConstant(idx, key) reverses the concealment on the fly.
+//
+// Both slots are u16; all existing operand serialization handles them identically.
+export function resolveConstants(bc, compiler) {
+  const constants = [];
+  const constantsMap = new Map(); // original value → pool index
+  const keyMap = new Map(); // pool index → conceal key
+
+  function intern(operand) {
+    const operandAsObject = typeof operand === "object" && operand ? operand : {};
+    const value = operand.value;
+    let idx = constantsMap.get(value);
+    let key = 0;
+    if (typeof idx !== "number") {
+      idx = constants.length;
+      constantsMap.set(value, idx);
+      if (compiler.options.concealConstants && typeof value === "string") {
+        // Strings: position-dependent XOR. Key must be >= 1.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(concealString(value, key));
+      } else if (compiler.options.concealConstants && typeof value === "number" && Number.isInteger(value)) {
+        // Integers: simple XOR. Result is still a valid JS integer.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(value ^ key);
+      } else {
+        // Not concealable (null, undefined, boolean, float, RegExp…) or option off.
+        key = 0;
+        constants.push(value);
+      }
+      keyMap.set(idx, key);
+    } else {
+      // Reuse existing pool entry — same key that was assigned on first intern.
+      key = keyMap.get(idx);
+    }
+    const idxOperand = {
+      ...operandAsObject,
+      type: "number",
+      resolvedValue: idx
+    };
+    const keyOperand = {
+      ...operandAsObject,
+      type: "number",
+      resolvedValue: key
+    };
+
+    // key is a plain u16 number — no wrapping needed.
+    return [idxOperand, keyOperand];
+  }
+  const resolved = [];
+  for (const instr of bc) {
+    const [op, ...operands] = instr;
+    const hasConstant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
+    if (hasConstant) {
+      // 1-to-2 expansion: each {type:"constant"} becomes [constIdx, concealKey].
+      const newOperands = [];
+      for (const operand of operands) {
+        if (operand?.type === "constant") {
+          const [idxOperand, key] = intern(operand);
+          const newOperand = operand?.key ? key : idxOperand;
+          newOperands.push(newOperand);
+          // newOperands.push(key); // plain number — serialized as a regular u16 slot
+        } else {
+          newOperands.push(operand);
+        }
+      }
+      const newInstr = [op, ...newOperands];
+      newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+      resolved.push(newInstr);
+    } else {
+      resolved.push(instr);
+    }
+  }
+  return {
+    bytecode: resolved,
+    constants
+  };
+}

package/dist/transforms/bytecode/resolveLabels.js

@@ -0,0 +1,80 @@
+// --- Label IR ---
+// During compilation, jump targets are symbolic labels instead of hard-coded
+// PC numbers.  Two IR "pseudo operands" carry the label information:
+//
+//   defineLabel operand  : [null, {type:"defineLabel", label:"FN_ENTRY_1"}]
+//     Marks a position in the bytecode array.
+//     resolveLabels() strips these out entirely.
+//
+//   label ref operand      : [OP.JUMP, {type:"label", label:"FN_ENTRY_1"}]
+//     Used as the operand of any jump instruction. resolveLabels() replaces
+//     it with the integer PC that the corresponding defineLabel resolves to.
+//
+// The output bytecode is still a nested array of instructions.
+// Flattening (one u16 slot per op, one per operand) happens in the Serializer.
+// PC values computed here reflect the FLAT slot index so that jump targets,
+// startPc, and LOAD_INT label operands are all correct after flattening.
+
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+
+// Resolve symbolic labels to absolute flat-PC indices within a bytecode array.
+// defineLabel pseudo-instructions are stripped; label-ref operands become ints.
+// Each instruction [op, ...operands] occupies (1 + operands.length) flat slots,
+// so realPc advances by instr.length for every non-pseudo instruction.
+export function resolveLabels(bc, compiler) {
+  // Pass 1 – walk the array and record each label's flat PC, counting
+  // real instructions by their full flat width (1 op + N operands).
+  const labelToPc = new Map();
+  let realPc = 0;
+  for (const instr of bc) {
+    const op = instr[0];
+    const operand = instr[1];
+    if (op === null && operand !== null && typeof operand === "object" && operand.type === "defineLabel") {
+      labelToPc.set(operand.label, realPc);
+    } else {
+      // Each instruction occupies 1 slot for the opcode + 1 per operand.
+      // IMPORTANT: 'placeholder' operands are not counted
+      realPc += instr.filter(x => x?.placeholder !== true).length;
+    }
+  }
+
+  // Pass 2 – build the resolved instruction list.
+  // Label refs may appear at any operand position, so scan all of them.
+  const resolved = [];
+  for (const instr of bc) {
+    const [op, ...operands] = instr;
+
+    // Strip defineLabel pseudo-ops.
+    if (op === null && typeof operands[0] === "object" && operands[0]?.type === "defineLabel") {
+      continue;
+    }
+
+    // Replace label-ref operands with their resolved flat PC (any position).
+    const newOperands = operands.map(operand => {
+      if (operand !== undefined && operand !== null && typeof operand === "object" && operand.type === "label") {
+        const pc = labelToPc.get(operand.label);
+        if (pc === undefined) throw new Error(`Undefined label: ${operand.label}`);
+        var operandAsObject = typeof operand === "object" && operand ? operand : {};
+        const newOperand = {
+          ...operandAsObject,
+          // Preverse original operand properties
+          type: "number",
+          resolvedValue: pc + (operand.offset ?? 0)
+        };
+        return newOperand;
+      }
+      return operand;
+    });
+    const newInstr = [op, ...newOperands];
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    resolved.push(newInstr);
+  }
+
+  // Patch each function descriptor's startPc now that labels are resolved.
+  for (const desc of compiler.fnDescriptors) {
+    desc.startPc = labelToPc.get(desc.startLabel) ?? labelToPc.get(desc.entryLabel);
+  }
+  return {
+    bytecode: resolved
+  };
+}

package/dist/transforms/bytecode/selfModifying.js

@@ -0,0 +1,108 @@
+import { choice } from "../../utils/random-utils.js";
+import { getInstructionSize } from "../../utils/op-utils.js";
+export function selfModifying(bc, compiler) {
+  // Walk the bytecode looking for "defineLabel" pseudo-ops, which start basic
+  // blocks. For each block we collect the body (instructions between the label
+  // and the next label/jump terminator), move it to the end of the bytecode
+  // under a fresh "patch_LXX" label, and replace it in-place with:
+  //
+  //   defineLabel ("originalLabel")               ← kept as-is (pseudo-op)
+  //   PATCH  destPc  sliceStart  sliceEnd          ← 4 flat slots total
+  //   Garbage Opcodes  × bodyFlatSize                         ← placeholder slots
+  //
+  // PATCH reads three inline operands via _operand():
+  //   destPc     = originalLabel + 4  (first slot after PATCH's own 4 slots)
+  //   sliceStart = patchLabel          (flat PC of appended body)
+  //   sliceEnd   = patchLabel + bodyFlatSize
+  //
+  // On first execution PATCH copies bytecode[sliceStart..sliceEnd) over the
+  // placeholder region starting at destPc.  Execution then falls through into
+  // the freshly-patched body.  Subsequent calls are idempotent.
+
+  const {
+    OP,
+    JUMP_OPS
+  } = compiler;
+  const result = [];
+  const appended = [];
+  let patchCount = 0;
+  let i = 0;
+  while (i < bc.length) {
+    const instr = bc[i];
+    const [op, operand] = instr;
+
+    // Detect a defineLabel pseudo-op — start of a new basic block.
+    if (op === null && operand !== null && typeof operand === "object" && operand.type === "defineLabel") {
+      const originalLabel = operand.label;
+      result.push(instr); // keep the defineLabel marker
+      i++;
+
+      // Collect body: everything after the label until the next terminator.
+      let j = i;
+      while (j < bc.length) {
+        const [nextOp, nextOperand] = bc[j];
+
+        // Another defineLabel = boundary of the next block.
+        if (nextOp === null && typeof nextOperand === "object" && nextOperand?.type === "defineLabel") {
+          break;
+        }
+
+        // Jump instructions, RETURN all terminate the body.
+        if (nextOp !== null && (JUMP_OPS.has(nextOp) || nextOp === OP.RETURN)) {
+          break;
+        }
+        j++;
+      }
+      const body = bc.slice(i, j);
+      const N = body.length;
+      if (N === 0) {
+        // Nothing to transform — label is immediately followed by a terminator.
+        continue;
+      }
+      const patchLabel = `patch_${originalLabel}_${patchCount++}`;
+
+      // Flat size of the body (each instruction occupies instr.length slots).
+      const bodyFlatSize = body.reduce((acc, instr) => acc + getInstructionSize(instr), 0);
+
+      // ── PATCH instruction (4 flat slots: opcode + 3 operands) ───────────
+      //   destPc     = originalLabel + 4  (slot right after PATCH's 4 slots)
+      //   sliceStart = patchLabel
+      //   sliceEnd   = patchLabel + bodyFlatSize
+      result.push([OP.PATCH, {
+        type: "label",
+        label: originalLabel,
+        offset: 4
+      }, {
+        type: "label",
+        label: patchLabel
+      }, {
+        type: "label",
+        label: patchLabel,
+        offset: bodyFlatSize
+      }]);
+
+      // ── Placeholders (Garbage Opcodes * bodyFlatSize, each 1 flat slot) ────────────
+      // These are overwritten by PATCH on first execution.
+      for (let p = 0; p < bodyFlatSize; p++) {
+        const randomOpcode = choice(Object.values(compiler.OP));
+        result.push([+randomOpcode]);
+      }
+
+      // ── Append real body at end ─────────────────────────────────────────
+      appended.push([null, {
+        type: "defineLabel",
+        label: patchLabel
+      }]);
+      for (const bodyInstr of body) {
+        appended.push(bodyInstr);
+      }
+      i = j; // skip over the original body in the input array
+      continue;
+    }
+    result.push(instr);
+    i++;
+  }
+  return {
+    bytecode: [...result, ...appended]
+  };
+}