js-confuser-vm 0.0.5 → 0.0.7

package/dist/transforms/bytecode/aliasedOpcodes.js

@@ -0,0 +1,134 @@
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot } from "../../utils/op-utils.js";
+import { shuffle } from "../../utils/random-utils.js";
+
+// Opcodes that must not be aliased.
+// Variable-length operand opcodes cannot be statically aliased since the
+// number of this._operand() calls varies at runtime.
+// Infrastructure opcodes (PATCH, TRY_SETUP, TRY_END, DEBUGGER) are excluded
+// because aliasing them would interfere with self-modifying bytecode and
+// exception-handling machinery.
+const DISALLOWED_OP_NAMES = new Set(["MAKE_CLOSURE", "BUILD_ARRAY", "BUILD_OBJECT", "CALL", "CALL_METHOD", "NEW", "PATCH", "TRY_SETUP", "TRY_END", "DEBUGGER"]);
+
+// Creates aliased opcodes: duplicate handlers for commonly-used opcodes,
+// optionally with a permuted operand read order in the bytecode stream.
+//
+// For each aliased op, we record an `order` permutation of length `arity`.
+// order[i] = j means: bytecode slot i holds what was originally operand j.
+//
+// Example: LOAD_GLOBAL [dst, nameIdx] with order=[1,0]:
+//   Bytecode stores:  [ALIAS_OP, nameIdx, dst]
+//   Handler reads:    _unsortedOperands = [nameIdx, dst]
+//                     _operands = [_unsortedOperands[1], _unsortedOperands[0]]
+//                               = [dst, nameIdx]   ← original order restored
+//
+// Runs LAST among bytecode transforms (after selfModifying), before resolveLabels.
+export function aliasedOpcodes(bc, compiler) {
+  // Build a map of base opcode value → name, excluding disallowed ops
+  const baseOpValueToName = new Map();
+  for (const [name, val] of Object.entries(compiler.OP)) {
+    if (DISALLOWED_OP_NAMES.has(name)) continue;
+    baseOpValueToName.set(val, name);
+  }
+
+  // ── Step 1: count frequency and determine arity for each eligible base opcode ─
+  // We scan the actual post-transform bytecode so frequency reflects what's
+  // really left (specialized/macro ops already consumed their share).
+  const opStats = new Map();
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !baseOpValueToName.has(op)) continue;
+    const arity = instr.length - 1;
+    if (arity < 1) continue; // 0-operand opcodes have nothing to permute
+
+    const existing = opStats.get(op);
+    if (!existing) {
+      opStats.set(op, {
+        freq: 1,
+        arity
+      });
+    } else {
+      if (existing.arity !== arity) {
+        // Inconsistent arity → variable-length; skip
+        existing.arity = null;
+      }
+      existing.freq++;
+    }
+  }
+
+  // ── Step 2: sort by frequency descending, keep only consistent-arity ops ────
+  const candidates = Array.from(opStats.entries()).filter(([, s]) => s.arity !== null).sort(([, a], [, b]) => b.freq - a.freq);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 3: assign free slots, build order permutations ─────────────────────
+  // aliasMap: originalOp → aliasOp (only the winning alias per original op)
+  const aliasMap = new Map();
+  const aliasedOps = {};
+  for (const [originalOp, stats] of candidates) {
+    const aliasOp = nextFreeSlot(compiler);
+    if (aliasOp === -1) break;
+    const arity = stats.arity;
+
+    // Build a permutation of [0 .. arity-1].
+    // For arity >= 2: shuffle until we get a non-identity permutation so the
+    // operand order is actually different (makes the alias more confusing).
+    // For arity == 1: only one permutation exists ([0]); still useful as a clone.
+    let order;
+    if (arity >= 2) {
+      const identity = Array.from({
+        length: arity
+      }, (_, i) => i);
+      let attempts = 0;
+      do {
+        order = shuffle([...identity]);
+        attempts++;
+      } while (attempts < 20 && order.every((v, i) => v === i));
+    } else {
+      order = [0];
+    }
+    aliasMap.set(originalOp, aliasOp);
+    aliasedOps[aliasOp] = {
+      originalOp,
+      order
+    };
+    const originalName = compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
+    compiler.OP_NAME[aliasOp] = `ALIAS_${originalName}_${order.join("_")}`;
+  }
+  compiler.ALIASED_OPS = aliasedOps;
+  if (aliasMap.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 4: rewrite bytecode ─────────────────────────────────────────────────
+  const result = [];
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !aliasMap.has(op)) {
+      result.push(instr);
+      continue;
+    }
+    const aliasOp = aliasMap.get(op);
+    const {
+      order
+    } = aliasedOps[aliasOp];
+    const originalOperands = instr.slice(1);
+
+    // Guard: if arity changed (shouldn't happen after the consistency check),
+    // fall back to the original instruction.
+    if (originalOperands.length !== order.length) {
+      result.push(instr);
+      continue;
+    }
+
+    // Rearrange operands: new slot i receives original operand order[i].
+    const newOperands = order.map(i => originalOperands[i]);
+    const newInstr = [aliasOp, ...newOperands];
+    newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+    result.push(newInstr);
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/bytecode/concealConstants.js

@@ -0,0 +1,31 @@
+export function concealConstants(bytecode, compiler) {
+  const newBytecode = [];
+  for (const instr of bytecode) {
+    const [op, ...operands] = instr;
+    const hasContant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
+    if (!hasContant) {
+      newBytecode.push(instr);
+      continue;
+    }
+    const newOperands = [];
+    for (const operand of operands) {
+      if (operand?.type === "constant") {
+        const tsOperand = operand;
+        newOperands.push(operand);
+        newOperands.push({
+          type: "constant",
+          value: tsOperand.value,
+          key: true
+        });
+      } else {
+        newOperands.push(operand);
+      }
+    }
+    instr.length = 0;
+    instr.push(op, ...newOperands);
+    newBytecode.push(instr);
+  }
+  return {
+    bytecode: newBytecode
+  };
+}

package/dist/transforms/bytecode/macroOpcodes.js

@@ -1,14 +1,17 @@
 import { SOURCE_NODE_SYM } from "../../compiler.js";
-import { nextFreeSlot, U16_MAX } from "../utils/op-utils.js";
+import { nextFreeSlot } from "../../utils/op-utils.js";
+import { ok } from "node:assert";
 
-// Opcodes that must not appear inside a macro window.
+// Opcodes that must not appear in a non-terminal position inside a macro window.
 // Jump ops: modifying frame._pc mid-execution causes the macro handler to
 //   run subsequent sub-bodies even after the jump already fired.
 // Frame-changing ops (CALL, CALL_METHOD, NEW, RETURN, THROW): push/pop call
 //   frames mid-macro, leaving the `frame` variable stale for later sub-bodies.
+// When one of these is the LAST instruction in the macro sequence there are no
+//   following sub-bodies, so editing _pc or the call frame is safe.
 // Variable-operand ops (MAKE_CLOSURE): the number of _operand() calls depends
 //   on uvCount at runtime, so a static handler cannot be generated.
-// Infrastructure ops (DATA, PATCH, TRY_SETUP, TRY_END, DEBUGGER):
+// Infrastructure ops (PATCH, TRY_SETUP, TRY_END, DEBUGGER):
 //   either illegal here or nonsensical to fold.
 
 // Scan bytecode for repeating instruction sequences and fold them into
@@ -18,8 +21,7 @@ import { nextFreeSlot, U16_MAX } from "../utils/op-utils.js";
 // Algorithm:
 //   1. Count every eligible window of length 2–5 by its op-code signature.
 //   2. Keep sequences that appear >= 2 times; sort by frequency then length.
-//   3. Assign unused opcode values (0–255, not already claimed by compiler.OP)
-//      to the most-frequent candidates and store in compiler.MACRO_OPS.
+//   3. Use nextFreeSlot() to assign a new opcode to each of the best candidates
 //   4. Re-scan bytecode, replacing each matched sequence with a single
 //      multi-operand instruction:
 //        [macroOpCode, operands_of_instr_0..., operands_of_instr_1..., ...]
@@ -31,23 +33,29 @@ export function macroOpcodes(bc, compiler) {
     const opVal = compiler.OP[name];
     originalOpToName.set(opVal, name);
   }
-  function isEligible(op, compiler) {
+
+  // Names are used instead of codes as specialized opcodes may generate based off these and it should not be considered eligible still
+  const alwaysExcluded = ["PATCH", "TRY_SETUP", "TRY_END", "DEBUGGER", "MAKE_CLOSURE"];
+  const nonTerminalExcluded = ["RETURN", "CALL", "CALL_METHOD", "NEW", "THROW"];
+  function isEligible(op, compiler, isLast = false) {
     if (op === null) return false;
     const {
       OP,
-      JUMP_OPS
+      JUMP_OPS,
+      OP_NAME
     } = compiler;
-    if (JUMP_OPS.has(op)) return false;
-    const excluded = new Set([OP.RETURN, OP.PATCH, OP.TRY_SETUP, OP.TRY_END, OP.DEBUGGER, OP.CALL, OP.CALL_METHOD, OP.NEW, OP.THROW, OP.MAKE_CLOSURE // variable-length operands — cannot generate a static handler
-    ]);
-    return !excluded.has(op) && originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
-  }
+    // Infrastructure and variable-length ops are never eligible.
+    const opName = OP_NAME[op];
+    ok(opName, `Unknown opcode ${op} (not in OP_NAME)`);
+    if (alwaysExcluded.find(name => opName.includes(name))) return false;
 
-  // Collect every opcode value already in use so we can find free slots.
-  const usedOpcodes = new Set(Object.values(compiler.OP).filter(v => v !== undefined));
-  if (usedOpcodes.size > U16_MAX) return {
-    bytecode: bc
-  };
+    // Jump and frame-changing ops are only eligible as the terminal instruction.
+    if (!isLast) {
+      if (JUMP_OPS.has(op)) return false;
+      if (nonTerminalExcluded.find(name => opName.includes(name))) return false;
+    }
+    return OP_NAME[op] !== undefined;
+  }
 
   // ── Step 1: count window frequencies ──────────────────────────────────────
   const freqMap = new Map();
@@ -57,14 +65,17 @@ export function macroOpcodes(bc, compiler) {
       const ops = [];
       let valid = true;
       for (let j = 0; j < len; j++) {
-        const op = bc[i + j][0];
-        if (!isEligible(op, compiler)) {
+        const instr = bc[i + j];
+        const op = instr[0];
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }
         ops.push(op);
       }
-      // If position (i+j) is ineligible, longer windows from i are also invalid.
+      // If position (i+j) is ineligible even as a terminal, longer windows from
+      // i are also invalid (it would be non-terminal there too).
       if (!valid) break;
       const key = ops.join(",");
       const entry = freqMap.get(key);
@@ -87,7 +98,7 @@ export function macroOpcodes(bc, compiler) {
 
   // ── Step 3: assign free opcode slots to the best candidates ───────────────
   for (let i = 0; i < candidates.length; i++) {
-    const macroOp = nextFreeSlot(usedOpcodes);
+    const macroOp = nextFreeSlot(compiler);
     if (macroOp === -1) break;
     const ops = candidates[i].ops;
     compiler.MACRO_OPS[macroOp] = ops;
@@ -117,7 +128,8 @@ export function macroOpcodes(bc, compiler) {
       for (let j = 0; j < len; j++) {
         const instr = bc[i + j];
         const op = instr[0];
-        if (!isEligible(op, compiler)) {
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }
@@ -132,7 +144,9 @@ export function macroOpcodes(bc, compiler) {
       // Each instruction contributes instr.slice(1) — zero or more operands.
       const allOperands = [];
       for (let j = 0; j < len; j++) {
-        allOperands.push(...bc[i + j].slice(1));
+        var instr = bc[i + j];
+        var operands = instr.slice(1);
+        allOperands.push(...operands);
       }
       const newInstr = [macroOpCode, ...allOperands];
       newInstr[SOURCE_NODE_SYM] = instructions[0][SOURCE_NODE_SYM];

package/dist/transforms/bytecode/microOpcodes.js

@@ -0,0 +1,236 @@
+import { parse } from "@babel/parser";
+import traverseImport from "@babel/traverse";
+import * as t from "@babel/types";
+import { ok } from "assert";
+import { VM_RUNTIME, SOURCE_NODE_SYM } from "../../compiler.js";
+import { nextFreeSlot } from "../../utils/op-utils.js";
+import { nSizedOps } from "./specializedOpcodes.js";
+const traverse = traverseImport.default || traverseImport;
+
+// Extract the real statement list from a SwitchCase consequent.
+function extractCaseBody(switchCase) {
+  let stmts;
+  if (switchCase.consequent.length === 1 && t.isBlockStatement(switchCase.consequent[0])) {
+    stmts = switchCase.consequent[0].body;
+  } else {
+    stmts = switchCase.consequent;
+  }
+  return stmts.filter(s => !t.isBreakStatement(s) && !t.isEmptyStatement(s));
+}
+
+// Count how many IR-level operands a single statement consumes.
+// Returns null if the statement is ineligible (contains a loop, or has
+// _operand()/_constant() calls inside a conditional branch).
+function countStatementOperands(stmt) {
+  let count = 0;
+  let ineligible = false;
+  const file = t.file(t.program([t.cloneNode(stmt, true)]));
+  traverse(file, {
+    enter(path) {
+      if (ineligible) {
+        path.stop();
+        return;
+      }
+      const nodeType = path.node.type;
+
+      // Don't traverse into nested functions
+      if (nodeType === "FunctionDeclaration" || nodeType === "FunctionExpression" || nodeType === "ArrowFunctionExpression") {
+        path.skip();
+        return;
+      }
+
+      // Count _operand() and _constant() calls
+      if (nodeType === "CallExpression") {
+        const call = path.node;
+        const callee = call.callee;
+        if (t.isMemberExpression(callee) && t.isThisExpression(callee.object) && t.isIdentifier(callee.property)) {
+          const name = callee.property.name;
+          const operandsConsumed = name === "_operand" ? 1 : name === "_constant" ? 2 : null;
+          if (operandsConsumed) {
+            // You are not allowed to use _operand() in loops or branches
+            const ancestors = path.getAncestry();
+            if (ancestors.find(t => t.isLoop() || t.isIfStatement() || t.isSwitchStatement() || t.isConditionalExpression() || t.isLogicalExpression())) {
+              ineligible = true;
+              path.stop();
+              return;
+            }
+            count += operandsConsumed;
+          }
+        }
+      }
+    }
+  });
+  return ineligible ? null : count;
+}
+
+// Analyse the VM runtime's @SWITCH statement to build a per-opcode map of
+// { stmtIndex → irOperandCount } for every case that can be split.
+// Returns a map: opValue → array of per-statement operand counts (null if ineligible).
+function analyzeRuntimeCases(compiler) {
+  // Parse the runtime source
+  const ast = parse(VM_RUNTIME, {
+    sourceType: "unambiguous"
+  });
+
+  // Build reverse name→opValue map from original OPs only
+  const nameToOp = new Map();
+  for (const [name, val] of Object.entries(compiler.OP)) {
+    if (val !== undefined) nameToOp.set(name, val);
+  }
+  let switchStatement = null;
+  traverse(ast, {
+    SwitchStatement(path) {
+      if (path.node.leadingComments?.some(c => c.value.includes("@SWITCH"))) {
+        switchStatement = path.node;
+        path.stop();
+      }
+    }
+  });
+  ok(switchStatement, "Could not find @SWITCH statement for micro opcodes");
+  const result = new Map();
+  for (const sc of switchStatement.cases) {
+    const test = sc.test;
+    if (!test || !t.isMemberExpression(test) || !t.isIdentifier(test.object, {
+      name: "OP"
+    }) || !t.isIdentifier(test.property)) {
+      continue;
+    }
+    const opName = test.property.name;
+    const opVal = nameToOp.get(opName);
+    if (opVal === undefined) continue;
+    const stmts = extractCaseBody(sc);
+    if (stmts.length < 2) continue; // need at least 2 statements to split
+
+    const counts = [];
+    let allEligible = true;
+
+    // Banned patterns:
+    // Return statements (Control flow isn't remembered)
+    traverse(t.file(t.program(stmts)), {
+      ReturnStatement(path) {
+        path.stop();
+        allEligible = false;
+      }
+    });
+    for (const stmt of stmts) {
+      const c = countStatementOperands(stmt);
+      if (c === null) {
+        allEligible = false;
+        break;
+      }
+      if (t.isDebuggerStatement(stmt) || t.isThrowStatement(stmt)) {
+        allEligible = false;
+        break;
+      }
+      counts.push(c);
+    }
+    if (!allEligible) continue;
+
+    // Verify that the total operand count matches the instruction size expectation
+    // (just store for now; bytecode pass validates operands match)
+    result.set(opVal, counts);
+  }
+  return result;
+}
+
+// Main bytecode transform: split frequently-used opcodes into per-statement
+// micro-opcodes so each sub-instruction is as small as possible.
+export function microOpcodes(bc, compiler) {
+  // ── Step 1: analyse runtime to discover splittable opcodes ──────────────────
+  const opAnalysis = analyzeRuntimeCases(compiler);
+  if (opAnalysis.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 2: count opcode frequency in bytecode ────────────────────────────
+  const disallowedOps = new Set(nSizedOps.map(name => compiler.OP[name]));
+  disallowedOps.add(compiler.OP.RETURN);
+  const freqMap = new Map();
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !opAnalysis.has(op) || disallowedOps.has(op)) continue;
+    freqMap.set(op, (freqMap.get(op) ?? 0) + 1);
+  }
+
+  // ── Step 3: sort by frequency, keep opcodes that actually appear ─────────
+  const candidates = Array.from(freqMap.entries()).filter(([, count]) => count >= 1).sort(([, a], [, b]) => b - a).map(([op]) => op);
+  if (candidates.length === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 4: assign free opcode slots for each sub-statement ─────────────
+  // Build: originalOp → [{ microOp, irOperandCount }, ...]
+  const originalToSubOps = new Map();
+  for (const origOp of candidates) {
+    const stmtCounts = opAnalysis.get(origOp);
+
+    // Pre-allocate all needed slots; if any slot is unavailable, skip this op.
+    const slots = [];
+    for (let si = 0; si < stmtCounts.length; si++) {
+      const slot = nextFreeSlot(compiler);
+      if (slot === -1) break;
+      compiler.OP_NAME[slot] = `MICRO_${origOp}_${si}`;
+      slots.push(slot);
+    }
+    if (slots.length !== stmtCounts.length) continue;
+    const subOps = [];
+    const origName = compiler.OP_NAME[origOp] ?? `OP_${origOp}`;
+    for (let si = 0; si < stmtCounts.length; si++) {
+      const microOp = slots[si];
+      const irOperandCount = stmtCounts[si];
+      subOps.push({
+        microOp,
+        irOperandCount
+      });
+      compiler.OP_NAME[microOp] = `MICRO_${origName}_${si}`;
+      compiler.MICRO_OPS[microOp] = {
+        originalOp: origOp,
+        stmtIndex: si,
+        irOperandCount
+      };
+    }
+    originalToSubOps.set(origOp, subOps);
+  }
+  if (originalToSubOps.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── Step 5: replace each matched instruction with sub-instructions ────────
+  const result = [];
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !originalToSubOps.has(op)) {
+      result.push(instr);
+      continue;
+    }
+    const subOps = originalToSubOps.get(op);
+    const operands = instr.slice(1); // all operands of the original instruction
+
+    // Verify total operand count matches sum of sub-op IR operand counts
+    const expectedTotal = subOps.reduce((s, {
+      irOperandCount
+    }) => s + irOperandCount, 0);
+    if (operands.length !== expectedTotal) {
+      throw new Error(`Operand count mismatch for opcode ${compiler.OP_NAME[op]}`);
+    }
+
+    // Split operands among sub-instructions
+    let offset = 0;
+    for (const {
+      microOp,
+      irOperandCount
+    } of subOps) {
+      const subOperands = operands.slice(offset, offset + irOperandCount);
+      offset += irOperandCount;
+      const newInstr = [microOp, ...subOperands];
+      // Carry source-node info on the first sub-instruction
+      if (offset === irOperandCount) {
+        newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
+      }
+      result.push(newInstr);
+    }
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/transforms/bytecode/resolveContants.js

@@ -1,34 +1,91 @@
 import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U16_MAX } from "../../utils/op-utils.js";
 
-// Resolve all {type:"constant", value} operands to integer indices into the
-// constants pool.  Returns both the resolved bytecode and the constants array
-// so the Serializer can use it for comment generation and output.
-// Constant refs may appear at any operand position (index 1, 2, 3, …).
-export function resolveConstants(bc) {
+// Encrypt a string with a position-dependent XOR key (u16) then base64-encode.
+//
+// Each char code is XOR'd with ((key + i) & 0xFFFF), producing a u16 value.
+// The u16 values are packed as little-endian byte pairs (matching decodeBytecode),
+// then base64-encoded so the stored constant is always safe ASCII — no raw Unicode
+// surrogates, control chars, or quote chars that would break JS string literals.
+function concealString(s, key) {
+  const bytes = new Uint8Array(s.length * 2);
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i) ^ key + i & 0xffff;
+    bytes[i * 2] = code & 0xff;
+    bytes[i * 2 + 1] = code >> 8 & 0xff;
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// Resolve all {type:"constant", value} (index) and {type:"constant", value, key: true} (key) operands
+//
+// constPoolIndex — index into the constants array (as before).
+// concealKey     — XOR key used to conceal this constant.
+//                  0 means no concealment (concealConstants is off, or the
+//                  value type is not concealable: null, undefined, bool, float…).
+//
+// The constants array stores the CONCEALED value when key != 0.
+// The runtime's _readConstant(idx, key) reverses the concealment on the fly.
+//
+// Both slots are u16; all existing operand serialization handles them identically.
+export function resolveConstants(bc, compiler) {
   const constants = [];
-  const constantsMap = new Map();
+  const constantsMap = new Map(); // original value → pool index
+  const keyMap = new Map(); // pool index → conceal key
+
   function intern(operand) {
-    const operandAsObject = typeof operand === "object" && operand ? operand : {};
     const value = operand.value;
     let idx = constantsMap.get(value);
+    let key = 0;
     if (typeof idx !== "number") {
       idx = constants.length;
       constantsMap.set(value, idx);
-      constants.push(value);
+      if (compiler.options.concealConstants && typeof value === "string") {
+        // Strings: position-dependent XOR. Key must be >= 1.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(concealString(value, key));
+      } else if (compiler.options.concealConstants && typeof value === "number" && Number.isInteger(value)) {
+        // Integers: simple XOR. Result is still a valid JS integer.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(value ^ key);
+      } else {
+        // Not concealable (null, undefined, boolean, float, RegExp…) or option off.
+        key = 0;
+        constants.push(value);
+      }
+      keyMap.set(idx, key);
+    } else {
+      // Reuse existing pool entry — same key that was assigned on first intern.
+      key = keyMap.get(idx);
     }
-    const newOperand = {
-      ...operandAsObject,
+    const idxOperand = {
       type: "number",
       resolvedValue: idx
     };
-    return newOperand;
+    const keyOperand = {
+      type: "number",
+      resolvedValue: key
+    };
+
+    // key is a plain u16 number — no wrapping needed.
+    return [idxOperand, keyOperand];
   }
   const resolved = [];
   for (const instr of bc) {
     const [op, ...operands] = instr;
     const hasConstant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
     if (hasConstant) {
-      const newOperands = operands.map(operand => operand?.type === "constant" ? intern(operand) : operand);
+      // 1-to-2 expansion: each {type:"constant"} becomes [constIdx, concealKey].
+      const newOperands = operands.map(operand => {
+        if (operand?.type === "constant") {
+          const [idxOperand, key] = intern(operand);
+          const newOperand = operand?.key ? key : idxOperand;
+          return Object.assign(operand, newOperand);
+        } else {
+          return operand;
+        }
+      });
       const newInstr = [op, ...newOperands];
       newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
       resolved.push(newInstr);

package/dist/transforms/bytecode/resolveLabels.js

@@ -54,13 +54,15 @@ export function resolveLabels(bc, compiler) {
       if (operand !== undefined && operand !== null && typeof operand === "object" && operand.type === "label") {
         const pc = labelToPc.get(operand.label);
         if (pc === undefined) throw new Error(`Undefined label: ${operand.label}`);
-        var operandAsObject = typeof operand === "object" && operand ? operand : {};
         const newOperand = {
-          ...operandAsObject,
-          // Preverse original operand properties
           type: "number",
           resolvedValue: pc + (operand.offset ?? 0)
         };
+
+        // Mutate original object so that references are also updated
+        if (typeof operand === "object" && operand !== null) {
+          return Object.assign(operand, newOperand);
+        }
         return newOperand;
       }
       return operand;

package/dist/transforms/bytecode/selfModifying.js

@@ -1,4 +1,5 @@
-import { choice } from "../utils/random-utils.js";
+import { choice } from "../../utils/random-utils.js";
+import { getInstructionSize } from "../../utils/op-utils.js";
 export function selfModifying(bc, compiler) {
   // Walk the bytecode looking for "defineLabel" pseudo-ops, which start basic
   // blocks. For each block we collect the body (instructions between the label
@@ -61,7 +62,7 @@ export function selfModifying(bc, compiler) {
       const patchLabel = `patch_${originalLabel}_${patchCount++}`;
 
       // Flat size of the body (each instruction occupies instr.length slots).
-      const bodyFlatSize = body.reduce((acc, instr) => acc + instr.filter(x => x?.placeholder !== true).length, 0);
+      const bodyFlatSize = body.reduce((acc, instr) => acc + getInstructionSize(instr), 0);
 
       // ── PATCH instruction (4 flat slots: opcode + 3 operands) ───────────
       //   destPc     = originalLabel + 4  (slot right after PATCH's 4 slots)