js-confuser-vm 0.0.5 → 0.0.6

package/dist/transforms/bytecode/aliasedOpcodes.js

@@ -0,0 +1,140 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.js";
+import { shuffle } from "../../utils/random-utils.js";
+
+// Opcodes that must not be aliased.
+// Variable-length operand opcodes cannot be statically aliased since the
+// number of this._operand() calls varies at runtime.
+// Infrastructure opcodes (PATCH, TRY_SETUP, TRY_END, DEBUGGER) are excluded
+// because aliasing them would interfere with self-modifying bytecode and
+// exception-handling machinery.
+const DISALLOWED_OP_NAMES = new Set(["MAKE_CLOSURE", "BUILD_ARRAY", "BUILD_OBJECT", "CALL", "CALL_METHOD", "NEW", "PATCH", "TRY_SETUP", "TRY_END", "DEBUGGER"]);
+
+// Creates aliased opcodes: duplicate handlers for commonly-used opcodes,
+// optionally with a permuted operand read order in the bytecode stream.
+//
+// For each aliased op, we record an `order` permutation of length `arity`.
+// order[i] = j means: bytecode slot i holds what was originally operand j.
+//
+// Example: LOAD_GLOBAL [dst, nameIdx] with order=[1,0]:
+//   Bytecode stores:  [ALIAS_OP, nameIdx, dst]
+//   Handler reads:    _unsortedOperands = [nameIdx, dst]
+//                     _operands = [_unsortedOperands[1], _unsortedOperands[0]]
+//                               = [dst, nameIdx]   ← original order restored
+//
+// Runs LAST among bytecode transforms (after selfModifying), before resolveLabels.
+export function aliasedOpcodes(bc, compiler) {
+  // Build a map of base opcode value → name, excluding disallowed ops
+  const baseOpValueToName = new Map();
+  for (const [name, val] of Object.entries(compiler.OP)) {
+    if (DISALLOWED_OP_NAMES.has(name)) continue;
+    baseOpValueToName.set(val, name);
+  }
+
+  // Collect all currently used opcode slots (base + any dynamically assigned)
+  const usedOpcodes = new Set(Object.keys(compiler.OP_NAME).map(k => parseInt(k, 10)).filter(v => !isNaN(v)));
+  if (usedOpcodes.size > U16_MAX) return {
+    bytecode: bc
+  };
+
+  // ── Step 1: count frequency and determine arity for each eligible base opcode ─
+  // We scan the actual post-transform bytecode so frequency reflects what's
+  // really left (specialized/macro ops already consumed their share).
+  const opStats = new Map();
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !baseOpValueToName.has(op)) continue;
+    const arity = instr.length - 1;
+    if (arity < 1) continue; // 0-operand opcodes have nothing to permute
+
+    const existing = opStats.get(op);
+    if (!existing) {
+      opStats.set(op, {
+        freq: 1,
+        arity
+      });
+    } else {
+      if (existing.arity !== arity) {
+        // Inconsistent arity → variable-length; skip
+        existing.arity = null;
+      }
+      existing.freq++;
+    }
+  }
+
+  // ── Step 2: sort by frequency descending, keep only consistent-arity ops ────
+  const candidates = Array.from(opStats.entries()).filter(([, s]) => s.arity !== null).sort(([, a], [, b]) => b.freq - a.freq);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 3: assign free slots, build order permutations ─────────────────────
+  // aliasMap: originalOp → aliasOp (only the winning alias per original op)
+  const aliasMap = new Map();
+  const aliasedOps = {};
+  for (const [originalOp, stats] of candidates) {
+    const aliasOp = nextFreeSlot(usedOpcodes);
+    if (aliasOp === -1) break;
+    const arity = stats.arity;
+
+    // Build a permutation of [0 .. arity-1].
+    // For arity >= 2: shuffle until we get a non-identity permutation so the
+    // operand order is actually different (makes the alias more confusing).
+    // For arity == 1: only one permutation exists ([0]); still useful as a clone.
+    let order;
+    if (arity >= 2) {
+      const identity = Array.from({
+        length: arity
+      }, (_, i) => i);
+      let attempts = 0;
+      do {
+        order = shuffle([...identity]);
+        attempts++;
+      } while (attempts < 20 && order.every((v, i) => v === i));
+    } else {
+      order = [0];
+    }
+    aliasMap.set(originalOp, aliasOp);
+    aliasedOps[aliasOp] = {
+      originalOp,
+      order
+    };
+    const originalName = compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
+    compiler.OP_NAME[aliasOp] = `ALIAS_${originalName}_${order.join("_")}`;
+  }
+  compiler.ALIASED_OPS = aliasedOps;
+  if (aliasMap.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 4: rewrite bytecode ─────────────────────────────────────────────────
+  const result = [];
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !aliasMap.has(op)) {
+      result.push(instr);
+      continue;
+    }
+    const aliasOp = aliasMap.get(op);
+    const {
+      order
+    } = aliasedOps[aliasOp];
+    const originalOperands = instr.slice(1);
+
+    // Guard: if arity changed (shouldn't happen after the consistency check),
+    // fall back to the original instruction.
+    if (originalOperands.length !== order.length) {
+      result.push(instr);
+      continue;
+    }
+
+    // Rearrange operands: new slot i receives original operand order[i].
+    const newOperands = order.map(i => originalOperands[i]);
+    const newInstr = [aliasOp, ...newOperands];
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    result.push(newInstr);
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/bytecode/concealConstants.js

@@ -0,0 +1,31 @@
+export function concealConstants(bytecode, compiler) {
+  const newBytecode = [];
+  for (const instr of bytecode) {
+    const [op, ...operands] = instr;
+    const hasContant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
+    if (!hasContant) {
+      newBytecode.push(instr);
+      continue;
+    }
+    const newOperands = [];
+    for (const operand of operands) {
+      if (operand?.type === "constant") {
+        const tsOperand = operand;
+        newOperands.push(operand);
+        newOperands.push({
+          type: "constant",
+          value: tsOperand.value,
+          key: true
+        });
+      } else {
+        newOperands.push(operand);
+      }
+    }
+    instr.length = 0;
+    instr.push(op, ...newOperands);
+    newBytecode.push(instr);
+  }
+  return {
+    bytecode: newBytecode
+  };
+}

package/dist/transforms/bytecode/macroOpcodes.js

@@ -1,14 +1,16 @@
 import { SOURCE_NODE_SYM } from "../../compiler.js";
-import { nextFreeSlot, U16_MAX } from "../utils/op-utils.js";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.js";
 
-// Opcodes that must not appear inside a macro window.
+// Opcodes that must not appear in a non-terminal position inside a macro window.
 // Jump ops: modifying frame._pc mid-execution causes the macro handler to
 //   run subsequent sub-bodies even after the jump already fired.
 // Frame-changing ops (CALL, CALL_METHOD, NEW, RETURN, THROW): push/pop call
 //   frames mid-macro, leaving the `frame` variable stale for later sub-bodies.
+// When one of these is the LAST instruction in the macro sequence there are no
+//   following sub-bodies, so editing _pc or the call frame is safe.
 // Variable-operand ops (MAKE_CLOSURE): the number of _operand() calls depends
 //   on uvCount at runtime, so a static handler cannot be generated.
-// Infrastructure ops (DATA, PATCH, TRY_SETUP, TRY_END, DEBUGGER):
+// Infrastructure ops (PATCH, TRY_SETUP, TRY_END, DEBUGGER):
 //   either illegal here or nonsensical to fold.
 
 // Scan bytecode for repeating instruction sequences and fold them into
@@ -31,16 +33,23 @@ export function macroOpcodes(bc, compiler) {
     const opVal = compiler.OP[name];
     originalOpToName.set(opVal, name);
   }
-  function isEligible(op, compiler) {
+  function isEligible(op, compiler, isLast = false) {
     if (op === null) return false;
     const {
       OP,
       JUMP_OPS
     } = compiler;
-    if (JUMP_OPS.has(op)) return false;
-    const excluded = new Set([OP.RETURN, OP.PATCH, OP.TRY_SETUP, OP.TRY_END, OP.DEBUGGER, OP.CALL, OP.CALL_METHOD, OP.NEW, OP.THROW, OP.MAKE_CLOSURE // variable-length operands — cannot generate a static handler
+    // Infrastructure and variable-length ops are never eligible.
+    const alwaysExcluded = new Set([OP.PATCH, OP.TRY_SETUP, OP.TRY_END, OP.DEBUGGER, OP.MAKE_CLOSURE // variable-length operands — cannot generate a static handler
     ]);
-    return !excluded.has(op) && originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
+    if (alwaysExcluded.has(op)) return false;
+    // Jump and frame-changing ops are only eligible as the terminal instruction.
+    if (!isLast) {
+      if (JUMP_OPS.has(op)) return false;
+      const nonTerminalExcluded = new Set([OP.RETURN, OP.CALL, OP.CALL_METHOD, OP.NEW, OP.THROW]);
+      if (nonTerminalExcluded.has(op)) return false;
+    }
+    return originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
   }
 
   // Collect every opcode value already in use so we can find free slots.
@@ -58,13 +67,15 @@ export function macroOpcodes(bc, compiler) {
       let valid = true;
       for (let j = 0; j < len; j++) {
         const op = bc[i + j][0];
-        if (!isEligible(op, compiler)) {
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }
         ops.push(op);
       }
-      // If position (i+j) is ineligible, longer windows from i are also invalid.
+      // If position (i+j) is ineligible even as a terminal, longer windows from
+      // i are also invalid (it would be non-terminal there too).
       if (!valid) break;
       const key = ops.join(",");
       const entry = freqMap.get(key);
@@ -117,7 +128,8 @@ export function macroOpcodes(bc, compiler) {
       for (let j = 0; j < len; j++) {
         const instr = bc[i + j];
         const op = instr[0];
-        if (!isEligible(op, compiler)) {
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }

package/dist/transforms/bytecode/resolveContants.js

@@ -1,34 +1,97 @@
 import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U16_MAX } from "../../utils/op-utils.js";
 
-// Resolve all {type:"constant", value} operands to integer indices into the
-// constants pool.  Returns both the resolved bytecode and the constants array
-// so the Serializer can use it for comment generation and output.
-// Constant refs may appear at any operand position (index 1, 2, 3, …).
-export function resolveConstants(bc) {
+// Encrypt a string with a position-dependent XOR key (u16) then base64-encode.
+//
+// Each char code is XOR'd with ((key + i) & 0xFFFF), producing a u16 value.
+// The u16 values are packed as little-endian byte pairs (matching decodeBytecode),
+// then base64-encoded so the stored constant is always safe ASCII — no raw Unicode
+// surrogates, control chars, or quote chars that would break JS string literals.
+function concealString(s, key) {
+  const bytes = new Uint8Array(s.length * 2);
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i) ^ key + i & 0xffff;
+    bytes[i * 2] = code & 0xff;
+    bytes[i * 2 + 1] = code >> 8 & 0xff;
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// Resolve all {type:"constant", value} operands to a PAIR of integer operands:
+//   [constPoolIndex, concealKey]
+//
+// constPoolIndex — index into the constants array (as before).
+// concealKey     — XOR key used to conceal this constant.
+//                  0 means no concealment (concealConstants is off, or the
+//                  value type is not concealable: null, undefined, bool, float…).
+//
+// The constants array stores the CONCEALED value when key != 0.
+// The runtime's _readConstant(idx, key) reverses the concealment on the fly.
+//
+// Both slots are u16; all existing operand serialization handles them identically.
+export function resolveConstants(bc, compiler) {
   const constants = [];
-  const constantsMap = new Map();
+  const constantsMap = new Map(); // original value → pool index
+  const keyMap = new Map(); // pool index → conceal key
+
   function intern(operand) {
     const operandAsObject = typeof operand === "object" && operand ? operand : {};
     const value = operand.value;
     let idx = constantsMap.get(value);
+    let key = 0;
     if (typeof idx !== "number") {
       idx = constants.length;
       constantsMap.set(value, idx);
-      constants.push(value);
+      if (compiler.options.concealConstants && typeof value === "string") {
+        // Strings: position-dependent XOR. Key must be >= 1.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(concealString(value, key));
+      } else if (compiler.options.concealConstants && typeof value === "number" && Number.isInteger(value)) {
+        // Integers: simple XOR. Result is still a valid JS integer.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(value ^ key);
+      } else {
+        // Not concealable (null, undefined, boolean, float, RegExp…) or option off.
+        key = 0;
+        constants.push(value);
+      }
+      keyMap.set(idx, key);
+    } else {
+      // Reuse existing pool entry — same key that was assigned on first intern.
+      key = keyMap.get(idx);
     }
-    const newOperand = {
+    const idxOperand = {
       ...operandAsObject,
       type: "number",
       resolvedValue: idx
     };
-    return newOperand;
+    const keyOperand = {
+      ...operandAsObject,
+      type: "number",
+      resolvedValue: key
+    };
+
+    // key is a plain u16 number — no wrapping needed.
+    return [idxOperand, keyOperand];
   }
   const resolved = [];
   for (const instr of bc) {
     const [op, ...operands] = instr;
     const hasConstant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
     if (hasConstant) {
-      const newOperands = operands.map(operand => operand?.type === "constant" ? intern(operand) : operand);
+      // 1-to-2 expansion: each {type:"constant"} becomes [constIdx, concealKey].
+      const newOperands = [];
+      for (const operand of operands) {
+        if (operand?.type === "constant") {
+          const [idxOperand, key] = intern(operand);
+          const newOperand = operand?.key ? key : idxOperand;
+          newOperands.push(newOperand);
+          // newOperands.push(key); // plain number — serialized as a regular u16 slot
+        } else {
+          newOperands.push(operand);
+        }
+      }
       const newInstr = [op, ...newOperands];
       newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
       resolved.push(newInstr);

package/dist/transforms/bytecode/selfModifying.js

@@ -1,4 +1,5 @@
-import { choice } from "../utils/random-utils.js";
+import { choice } from "../../utils/random-utils.js";
+import { getInstructionSize } from "../../utils/op-utils.js";
 export function selfModifying(bc, compiler) {
   // Walk the bytecode looking for "defineLabel" pseudo-ops, which start basic
   // blocks. For each block we collect the body (instructions between the label
@@ -61,7 +62,7 @@ export function selfModifying(bc, compiler) {
       const patchLabel = `patch_${originalLabel}_${patchCount++}`;
 
       // Flat size of the body (each instruction occupies instr.length slots).
-      const bodyFlatSize = body.reduce((acc, instr) => acc + instr.filter(x => x?.placeholder !== true).length, 0);
+      const bodyFlatSize = body.reduce((acc, instr) => acc + getInstructionSize(instr), 0);
 
       // ── PATCH instruction (4 flat slots: opcode + 3 operands) ───────────
       //   destPc     = originalLabel + 4  (slot right after PATCH's 4 slots)

package/dist/transforms/bytecode/specializedOpcodes.js

@@ -1,12 +1,14 @@
 import { SOURCE_NODE_SYM } from "../../compiler.js";
-import { nextFreeSlot, U16_MAX } from "../utils/op-utils.js";
+import { getInstructionSize, nextFreeSlot, U16_MAX } from "../../utils/op-utils.js";
 
 // Creates specialized opcodes for the most frequent (OPCODE + single_integer_operand) pairs.
 // Example: [OP.LOAD_CONST, 1] becomes [SPECIALIZED_LOAD_CONST_1].
 // Only instructions with *exactly one numeric operand* are considered.
-// MAKE_CLOSURE and any instruction with zero / multiple operands are skipped.
+// MAKE_CLOSURE and other N-sized instructions cannot be specialized
 // Runs after selfModifying but before resolveLabels (operands stay plain numbers).
 export function specializedOpcodes(bc, compiler) {
+  const disallowedOps = new Set([compiler.OP.MAKE_CLOSURE, compiler.OP.BUILD_ARRAY, compiler.OP.BUILD_OBJECT, compiler.OP.CALL, compiler.OP.CALL_METHOD, compiler.OP.NEW]);
+
   // ── Collect used opcodes exactly as specified ─────────────────────────────
   const usedOpcodes = new Set(Object.keys(compiler.OP_NAME).map(k => parseInt(k, 10)).filter(v => !isNaN(v)));
   if (usedOpcodes.size > U16_MAX) return {
@@ -17,26 +19,29 @@ export function specializedOpcodes(bc, compiler) {
   const freqMap = new Map();
   for (const instr of bc) {
     const op = instr[0];
-    if (op === null || op === compiler.OP.MAKE_CLOSURE) continue;
+    if (op === null || disallowedOps.has(op)) continue;
 
-    // Must have exactly one operand and it must be a plain number
-    if (instr.length !== 2) continue;
-    const operand = instr[1];
-    const key = `${op},${operand}`;
+    // Only supports between 1-6 operands
+    const operandCount = getInstructionSize(instr) - 1;
+    if (operandCount < 1 || operandCount > 6) continue;
+    const operands = instr.slice(1);
+    const operandsKey = JSON.stringify(operands);
+    const key = `${op},${operandsKey}`;
     const entry = freqMap.get(key);
     if (entry) {
-      entry.count++;
+      entry.occurences++;
     } else {
       freqMap.set(key, {
         op,
-        operand,
-        count: 1
+        operands,
+        operandsKey,
+        occurences: 1
       });
     }
   }
 
   // ── Step 2: keep combinations that appear >= 2 times, sort by frequency ───
-  const candidates = Array.from(freqMap.values()).filter(e => e.count >= 1).sort((a, b) => b.count - a.count);
+  const candidates = Array.from(freqMap.values()).filter(e => e.occurences >= 1).sort((a, b) => b.occurences - a.occurences);
   if (candidates.length === 0) return {
     bytecode: bc
   };
@@ -49,18 +54,19 @@ export function specializedOpcodes(bc, compiler) {
     if (specialOp === -1) break;
     const {
       op: originalOp,
-      operand
+      operands,
+      operandsKey
     } = candidates[i];
-    const key = `${originalOp},${JSON.stringify(operand)}`;
+    const key = `${originalOp},${operandsKey}`;
     sigToSpecial.set(key, specialOp);
     specializedOps[specialOp] = {
       originalOp,
-      operand
+      operands
     };
 
     // Register a human-readable name for disassembly / debugging
     const originalName = compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
-    compiler.OP_NAME[specialOp] = `${originalName}_${JSON.stringify(operand)}`;
+    compiler.OP_NAME[specialOp] = `${originalName}_${JSON.stringify(operandsKey)}`;
   }
 
   // Store mapping so the interpreter knows how to dispatch the specialized op
@@ -70,15 +76,20 @@ export function specializedOpcodes(bc, compiler) {
   const result = [];
   for (const instr of bc) {
     const op = instr[0];
-    // Only consider instructions with exactly one numeric operand
-    if (op === null || instr.length !== 2 || op === compiler.OP.MAKE_CLOSURE) {
+    // Only consider instructions with one or more operands
+    if (op === null || instr.length <= 1 || op === compiler.OP.MAKE_CLOSURE) {
+      result.push(instr);
+      continue;
+    }
+    const operands = instr.slice(1);
+    const operandsKey = JSON.stringify(operands);
+    const key = `${op},${operandsKey}`;
+    const specialOpCode = sigToSpecial.get(key);
+    if (!specialOpCode) {
       result.push(instr);
       continue;
     }
-    const operand = instr[1];
-    const key = `${op},${JSON.stringify(operand)}`;
-    if (sigToSpecial.has(key)) {
-      const specialOpCode = sigToSpecial.get(key);
+    const newOperands = operands.map(operand => {
       const operandAsObject = typeof operand === "object" && operand ? operand : {
         type: "number",
         value: operand,
@@ -88,14 +99,13 @@ export function specializedOpcodes(bc, compiler) {
         ...operandAsObject,
         placeholder: true
       };
-      const newInstr = [specialOpCode, newOperand];
+      return newOperand;
+    });
+    const newInstr = [specialOpCode, ...newOperands];
 
-      // Preserve source-node information for error reporting
-      newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
-      result.push(newInstr);
-    } else {
-      result.push(instr);
-    }
+    // Preserve source-node information for error reporting
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    result.push(newInstr);
   }
   return {
     bytecode: result

package/dist/transforms/runtime/aliasedOpcodes.js

@@ -0,0 +1,134 @@
+import * as t from "@babel/types";
+import traverseImport from "@babel/traverse";
+import { ok } from "assert";
+const traverse = traverseImport.default || traverseImport;
+
+// Extract the real statement list from a SwitchCase consequent.
+function extractCaseBody(switchCase) {
+  let stmts;
+  if (switchCase.consequent.length === 1 && t.isBlockStatement(switchCase.consequent[0])) {
+    stmts = switchCase.consequent[0].body;
+  } else {
+    stmts = switchCase.consequent;
+  }
+  return stmts.filter(s => !t.isBreakStatement(s) && !t.isEmptyStatement(s));
+}
+
+// Replace every `this._operand()` call in bodyStmts with `_operands[i]`
+// where i is the call's sequential index (0-based).
+// Returns the number of replacements performed.
+function replaceOperandCalls(bodyStmts) {
+  let replaced = 0;
+  traverse(t.blockStatement(bodyStmts), {
+    noScope: true,
+    CallExpression(path) {
+      const callee = path.node.callee;
+      const isMethodCall = methodName => {
+        return t.isMemberExpression(callee) && t.isThisExpression(callee.object) && t.isIdentifier(callee.property, {
+          name: methodName
+        }) && path.node.arguments.length === 0;
+      };
+
+      // Replace with _operands[i]
+      const createOperandAccess = () => {
+        return t.memberExpression(t.identifier("_operands"), t.numericLiteral(replaced++), true // computed
+        );
+      };
+      if (isMethodCall("_operand")) {
+        path.replaceWith(createOperandAccess());
+      }
+      if (isMethodCall("_constant")) {
+        path.node.arguments = [createOperandAccess(), createOperandAccess()];
+      }
+    }
+  });
+  return replaced;
+}
+
+// Appends a generated switch case for every entry in compiler.ALIASED_OPS.
+// Each alias case:
+//   1. Reads all operands eagerly into `_unsortedOperands` (in the shuffled
+//      bytecode order) via sequential this._operand() calls.
+//   2. Restores the original operand order into `_operands` using the INVERSE
+//      of the stored `order` permutation:
+//        inverseOrder[order[i]] = i
+//        _operands[j] = _unsortedOperands[inverseOrder[j]]
+//      This is necessary because the bytecode stored originalOperands[order[i]]
+//      at slot i, so recovering originalOperands[j] requires the inverse lookup.
+//   3. Executes a clone of the original handler body where every
+//      this._operand() has been replaced by the corresponding `_operands[i]`.
+//
+// Must run AFTER applyMacroOpcodes / applySpecializedOpcodes (so original
+// cases already exist) but BEFORE applyShuffleOpcodes (so the new alias
+// cases are also shuffled into the handler order).
+export function applyAliasedOpcodes(ast, compiler) {
+  if (!compiler.ALIASED_OPS || Object.keys(compiler.ALIASED_OPS).length === 0) return;
+  let switchStatement = null;
+  traverse(ast, {
+    SwitchStatement(path) {
+      if (path.node.leadingComments?.some(c => c.value.includes("@SWITCH"))) {
+        switchStatement = path.node;
+        path.stop();
+      }
+    }
+  });
+  ok(switchStatement, "Could not find @SWITCH statement for aliased opcodes");
+
+  // Build opName → SwitchCase map from existing OP.xxx case tests.
+  const nameToCaseMap = new Map();
+  for (const sc of switchStatement.cases) {
+    const test = sc.test;
+    if (test && t.isMemberExpression(test) && t.isIdentifier(test.object, {
+      name: "OP"
+    }) && t.isIdentifier(test.property)) {
+      nameToCaseMap.set(test.property.name, sc);
+    }
+  }
+  for (const [aliasOpStr, info] of Object.entries(compiler.ALIASED_OPS)) {
+    const aliasOpCode = Number(aliasOpStr);
+    const {
+      originalOp,
+      order
+    } = info;
+    const arity = order.length;
+    const originalName = compiler.OP_NAME[originalOp];
+    if (!originalName) continue;
+    const originalCase = nameToCaseMap.get(originalName);
+    if (!originalCase) continue;
+
+    // Clone the original handler body (deep clone so we don't mutate the source)
+    const bodyStmts = extractCaseBody(originalCase).map(s => t.cloneNode(s, true));
+
+    // Replace this._operand() calls with _operands[i]
+    const replaced = replaceOperandCalls(bodyStmts);
+
+    // If the handler has a different number of _operand() calls than our
+    // recorded arity, skip this alias (variable-operand handler guard).
+    if (replaced !== arity) continue;
+
+    // Build: var _unsortedOperands = [this._operand(), this._operand(), ...]
+    // Reads operands in the NEW (shuffled) bytecode order.
+    const unsortedInit = t.variableDeclaration("let", [t.variableDeclarator(t.identifier("_unsortedOperands"), t.arrayExpression(Array.from({
+      length: arity
+    }, () => t.callExpression(t.memberExpression(t.thisExpression(), t.identifier("_operand")), []))))]);
+
+    // The inverse permutation maps original position j → unsorted index i,
+    // because the bytecode stored originalOperands[order[i]] at slot i.
+    // inverseOrder[j] = i  means: original operand j lives at _unsortedOperands[i]
+    const inverseOrder = new Array(arity);
+    for (let i = 0; i < arity; i++) {
+      inverseOrder[order[i]] = i;
+    }
+
+    // Build: var _operands = [_unsortedOperands[inverseOrder[0]], ...]
+    // Restores the original operand order expected by the handler body.
+    const operandsInit = t.variableDeclaration("let", [t.variableDeclarator(t.identifier("_operands"), t.arrayExpression(inverseOrder.map(idx => t.memberExpression(t.identifier("_unsortedOperands"), t.numericLiteral(idx), true // computed
+    ))))]);
+    const allStmts = [unsortedInit, operandsInit, ...bodyStmts];
+
+    // Add a leading comment for readability in non-minified output
+    t.addComment(allStmts[0], "leading", ` ${compiler.OP_NAME[aliasOpCode]} (order: [${order.join(",")}])`, true);
+    allStmts.push(t.breakStatement());
+    switchStatement.cases.push(t.switchCase(t.numericLiteral(aliasOpCode), [t.blockStatement(allStmts)]));
+  }
+}

package/dist/transforms/runtime/shuffleOpcodes.js

@@ -1,6 +1,6 @@
 import traverseImport from "@babel/traverse";
 import { ok } from "assert";
-import { shuffle } from "../utils/random-utils.js";
+import { shuffle } from "../../utils/random-utils.js";
 const traverse = traverseImport.default || traverseImport;
 
 // Randomly reorder the switch cases inside the @SWITCH statement so the