js-confuser-vm 0.1.0 → 0.1.1

package/dist/template.js

@@ -139,4 +139,120 @@ export class Template {
       bytecode: innerBytecode
     };
   }
+
+  // ── Inline compilation ───────────────────────────────────────────────────
+  /**
+   * Compile the template and return the **main scope** bytecode, with all
+   * register operands remapped to belong to `targetFnId`.  This allows
+   * bytecode transforms to express high-level JS control flow (while-loops,
+   * if-chains, variable declarations) via Template and splice the result
+   * directly into an existing function's instruction stream.
+   *
+   * The implicit trailing RETURN added by _compileFunctionDecl is stripped —
+   * inline code should flow into the surrounding bytecode, not return.
+   *
+   * @param variables       Substitution map for {name} placeholders.
+   * @param parentCompiler  The Compiler whose OP table, label counter, and
+   *                        fnDescriptors are shared.
+   * @param targetFnId      The function whose register file the template's
+   *                        registers should be remapped into.
+   * @param maxId           Live map of max register id per fnId — updated
+   *                        in-place as new registers are allocated.
+   *
+   * @returns
+   *   bytecode   — main-scope IR (no entry defineLabel, no trailing RETURN),
+   *                ready to splice into the target function's instruction stream.
+   *   registers  — mapping of JS variable names → remapped RegisterOperands,
+   *                so the caller can reference template-declared variables
+   *                (e.g. the `state` variable in CFF).
+   *   functions  — inner function descriptors (same as compile()).
+   *   innerBytecode — inner function bytecode blocks (same as compile()).
+   */
+  compileInline(variables, parentCompiler, targetFnId, maxId) {
+    const code = this._interpolate(variables);
+    const child = new Compiler({
+      ...DEFAULT_OPTIONS,
+      randomizeOpcodes: false
+    });
+    child.OP = {
+      ...parentCompiler.OP
+    };
+    child.OP_NAME = {
+      ...parentCompiler.OP_NAME
+    };
+    child.JUMP_OPS = new Set(parentCompiler.JUMP_OPS);
+    child._makeLabel = parentCompiler._makeLabel.bind(parentCompiler);
+    const startIdx = parentCompiler.fnDescriptors.length;
+    child.fnDescriptors = parentCompiler.fnDescriptors;
+    child.compile(code);
+    const mainDesc = parentCompiler.fnDescriptors[startIdx];
+    const mainFnId = mainDesc._fnIdx;
+    const mainBc = mainDesc.bytecode;
+
+    // ── Remap registers from the template's main fnId → targetFnId ────────
+    // Build a mapping: old register id → new RegisterOperand in targetFnId.
+    const regRemap = new Map();
+    const remapReg = id => {
+      if (!regRemap.has(id)) {
+        const next = (maxId.get(targetFnId) ?? -1) + 1;
+        maxId.set(targetFnId, next);
+        regRemap.set(id, {
+          type: "register",
+          id: next,
+          fnId: targetFnId
+        });
+      }
+      return regRemap.get(id);
+    };
+    for (const instr of mainBc) {
+      for (let j = 1; j < instr.length; j++) {
+        const op = instr[j];
+        if (op && typeof op === "object" && op.type === "register" && op.fnId === mainFnId) {
+          const mapped = remapReg(op.id);
+          op.id = mapped.id;
+          op.fnId = mapped.fnId;
+        }
+      }
+    }
+
+    // ── Build variable name → remapped register mapping ───────────────────
+    const registers = new Map();
+    const locals = mainDesc.ctx.scope._locals;
+    for (const [name, reg] of locals) {
+      const mapped = regRemap.get(reg.id);
+      if (mapped) registers.set(name, mapped);
+    }
+
+    // ── Strip entry defineLabel and trailing implicit RETURN ───────────────
+    let bytecode = mainBc.filter(instr => {
+      const op0 = instr[1];
+      return !(instr[0] === null && op0?.type === "defineLabel" && op0.label === mainDesc.entryLabel);
+    });
+
+    // Remove trailing LOAD_CONST undefined + RETURN (implicit return added
+    // by _compileFunctionDecl).
+    const OP = parentCompiler.OP;
+    if (bytecode.length >= 2 && bytecode[bytecode.length - 1][0] === OP.RETURN && bytecode[bytecode.length - 2][0] === OP.LOAD_CONST) {
+      bytecode = bytecode.slice(0, -2);
+    }
+
+    // ── Inner function bytecode (same as compile()) ───────────────────────
+    const innerDescs = parentCompiler.fnDescriptors.slice(startIdx + 1);
+    const innerBytecode = [];
+    for (const desc of innerDescs) {
+      innerBytecode.push([null, {
+        type: "defineLabel",
+        label: desc.entryLabel
+      }]);
+      for (const instr of desc.bytecode) {
+        innerBytecode.push(instr);
+      }
+    }
+    return {
+      bytecode,
+      registers,
+      functions: innerDescs,
+      innerBytecode
+    };
+  }
 }

package/dist/transforms/bytecode/aliasedOpcodes.js

@@ -1,4 +1,4 @@
-import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { OP_ORIGINAL, SOURCE_NODE_SYM } from "../../compiler.js";
 import { nextFreeSlot } from "../../utils/op-utils.js";
 import { shuffle } from "../../utils/random-utils.js";
 
@@ -41,6 +41,9 @@ export function aliasedOpcodes(bc, compiler) {
     const arity = instr.length - 1;
     if (arity < 1) continue; // 0-operand opcodes have nothing to permute
 
+    const opName = compiler.OP_NAME[op];
+    if (!OP_ORIGINAL[opName]) continue; // only consider original ops, not already-specialized ones
+
     const existing = opStats.get(op);
     if (!existing) {
       opStats.set(op, {

package/dist/transforms/bytecode/controlFlowFlattening.js

@@ -0,0 +1,451 @@
+// Control Flow Flattening (CFF)
+//
+// Splits each function into basic blocks and routes all execution through a
+// while-loop + switch-style comparison chain that dispatches based on a
+// `state` register.  Original jumps become state transitions.
+//
+// ── How it works ─────────────────────────────────────────────────────────────
+//
+// 1. Each function's instruction stream is split into basic blocks at every
+//    label definition and after every terminator (JUMP, JUMP_IF_*, RETURN,
+//    THROW).
+//
+// 2. Each block is assigned a random u16 state value.  A sentinel endState
+//    (not used by any block) marks loop termination.
+//
+// 3. A dispatch loop is compiled from a Template:
+//
+//      var state = <startState>;
+//      while (state !== <endState>) {
+//        if (state === <s0>) _VM_JUMP_("<block0>");
+//        if (state === <s1>) _VM_JUMP_("<block1>");
+//        ...
+//      }
+//
+//    The Template's `state` register is extracted via compileInline() so that
+//    block bodies can write state transitions to it.
+//
+// 4. Block bodies are emitted with their original instructions.  Terminators
+//    are rewritten:
+//
+//      JUMP target         → LOAD_INT state, targetBlock.stateValue
+//                             JUMP <loopTop>
+//
+//      JUMP_IF_FALSE c, t  → JUMP_IF_TRUE c, <skipLabel>
+//                             LOAD_INT state, targetBlock.stateValue
+//                             JUMP <loopTop>
+//                             <skipLabel>:
+//                             LOAD_INT state, fallthroughBlock.stateValue
+//                             JUMP <loopTop>
+//
+//      RETURN / THROW      → kept in-place (exits the VM frame directly)
+//
+// 5. Block order is shuffled randomly so spatial locality gives no hints.
+//
+// ── Pipeline position ─────────────────────────────────────────────────────────
+// Same slot as Dispatcher: before resolveRegisters and resolveLabels.
+// Can run alongside Dispatcher (they are composable).
+
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U16_MAX } from "../../utils/op-utils.js";
+import { Template } from "../../template.js";
+import { ref, buildMaxIdMap, forEachFunction, extractLabel } from "../../utils/pass-utils.js";
+
+// ── Basic block splitting ────────────────────────────────────────────────────
+
+function isTerminator(op, compiler) {
+  const OP = compiler.OP;
+  return op === OP.JUMP || op === OP.JUMP_IF_FALSE || op === OP.JUMP_IF_TRUE || op === OP.RETURN || op === OP.THROW;
+}
+function splitBasicBlocks(instrs, compiler) {
+  const blocks = [];
+  const usedStates = new Set();
+  const assignState = () => {
+    let s;
+    do {
+      s = getRandomInt(0, U16_MAX);
+    } while (usedStates.has(s));
+    usedStates.add(s);
+    return s;
+  };
+  let currentLabel = null;
+  let currentBody = [];
+  const flushBlock = terminator => {
+    if (currentBody.length === 0 && terminator === null && currentLabel === null) return;
+    const label = currentLabel ?? compiler._makeLabel("cff_block");
+    blocks.push({
+      label,
+      body: currentBody,
+      terminator,
+      stateValue: assignState(),
+      originalNextIndex: -1 // filled in after all blocks are created
+    });
+    currentBody = [];
+    currentLabel = null;
+  };
+  for (const instr of instrs) {
+    const op = instr[0];
+
+    // defineLabel → start a new block boundary
+    if (op === null && instr[1]?.type === "defineLabel") {
+      flushBlock(null);
+      currentLabel = instr[1].label;
+      continue;
+    }
+
+    // Terminator → ends the current block
+    if (op !== null && isTerminator(op, compiler)) {
+      flushBlock(instr);
+      continue;
+    }
+    currentBody.push(instr);
+  }
+
+  // Flush trailing instructions
+  flushBlock(null);
+
+  // Split large blocks (> MAX_BLOCK_SIZE instructions) into smaller chunks
+  // so that no single block reveals too much sequential code.
+  const MAX_BLOCK_SIZE = 3;
+  const splitBlocks = [];
+  for (const block of blocks) {
+    if (block.body.length <= MAX_BLOCK_SIZE) {
+      splitBlocks.push(block);
+      continue;
+    }
+    // Chunk the body into pieces of MAX_BLOCK_SIZE
+    for (let j = 0; j < block.body.length; j += MAX_BLOCK_SIZE) {
+      const isFirst = j === 0;
+      const isLast = j + MAX_BLOCK_SIZE >= block.body.length;
+      splitBlocks.push({
+        label: isFirst ? block.label : compiler._makeLabel("cff_split"),
+        body: block.body.slice(j, j + MAX_BLOCK_SIZE),
+        terminator: isLast ? block.terminator : null,
+        stateValue: isFirst ? block.stateValue : assignState(),
+        originalNextIndex: -1
+      });
+    }
+  }
+  // Replace blocks with split result
+  blocks.length = 0;
+  blocks.push(...splitBlocks);
+
+  // Wire up originalNextIndex for fallthrough resolution
+  for (let i = 0; i < blocks.length - 1; i++) {
+    blocks[i].originalNextIndex = i + 1;
+  }
+  // Last block has no successor
+  if (blocks.length > 0) {
+    blocks[blocks.length - 1].originalNextIndex = -1;
+  }
+  return blocks;
+}
+
+// ── Cross-block register promotion ───────────────────────────────────────────
+// Scans all blocks (bodies + terminators) and finds register operands that
+// appear in more than one block.  Those registers must not be in the "temp"
+// pool because resolveRegisters' linear scan doesn't understand the CFF
+// dispatch loop and would reuse their slots between blocks.
+//
+// Promotion is done in-place: we delete the `kind` property on the operand
+// objects so they default to the "local::" pool (which never reuses slots).
+
+function promoteMultiBlockRegisters(blocks) {
+  // (fnId, regId) → index of first block where this register was seen
+  const regFirstBlock = new Map();
+  // Set of register keys that appear in 2+ blocks
+  const multiBlockRegs = new Set();
+  for (let bi = 0; bi < blocks.length; bi++) {
+    const allInstrs = blocks[bi].terminator ? [...blocks[bi].body, blocks[bi].terminator] : blocks[bi].body;
+    for (const instr of allInstrs) {
+      for (let j = 1; j < instr.length; j++) {
+        const op = instr[j];
+        if (op && typeof op === "object" && op.type === "register") {
+          const key = `${op.fnId}:${op.id}`;
+          const first = regFirstBlock.get(key);
+          if (first === undefined) {
+            regFirstBlock.set(key, bi);
+          } else if (first !== bi) {
+            multiBlockRegs.add(key);
+          }
+        }
+      }
+    }
+  }
+  if (multiBlockRegs.size === 0) return;
+
+  // Second pass: pin all operand instances of multi-block registers so that
+  // resolveRegisters assigns them to the "local::" pool (no slot reuse).
+  for (const block of blocks) {
+    const allInstrs = block.terminator ? [...block.body, block.terminator] : block.body;
+    for (const instr of allInstrs) {
+      for (let j = 1; j < instr.length; j++) {
+        const op = instr[j];
+        if (op && typeof op === "object" && op.type === "register") {
+          const key = `${op.fnId}:${op.id}`;
+          if (multiBlockRegs.has(key)) {
+            op.pinned = true;
+          }
+        }
+      }
+    }
+  }
+}
+
+// ── Generate the dispatch loop via Template ──────────────────────────────────
+
+function buildDispatchTemplate(blocks, endState, startState, compiler, fnId, maxId) {
+  // Build the if-chain cases
+  const cases = blocks.map(block => `if (state === ${block.stateValue}) _VM_JUMP_("${block.label}");`).join("\n    ");
+  const source = `
+    var state = ${startState};
+    while (state !== ${endState}) {
+      ${cases}
+    }
+  `;
+  const tmpl = new Template(source);
+  const result = tmpl.compileInline({}, compiler, fnId, maxId);
+
+  // Pin ALL dispatch-loop registers so resolveRegisters assigns them to the
+  // "local::" pool (no slot reuse).  The dispatch loop is re-entered on every
+  // state transition (backward JUMP to while_top), but the linear-scan liveness
+  // in resolveRegisters doesn't track loops and would incorrectly treat dispatch
+  // temps as dead after one pass, allowing their slots to be reused by body
+  // registers that are live across blocks.
+  for (const instr of result.bytecode) {
+    for (let j = 1; j < instr.length; j++) {
+      const op = instr[j];
+      if (op && typeof op === "object" && op.type === "register") {
+        op.pinned = true;
+      }
+    }
+  }
+  const rState = result.registers.get("state");
+  if (!rState) {
+    throw new Error("CFF: Template did not produce a 'state' register");
+  }
+
+  // Find the while loop labels from the compiled IR
+  let loopTopLabel = null;
+  let loopExitLabel = null;
+  for (const instr of result.bytecode) {
+    if (instr[0] === null && instr[1]?.type === "defineLabel") {
+      const label = instr[1].label;
+      if (label.includes("while_top") && !loopTopLabel) {
+        loopTopLabel = label;
+      }
+      if (label.includes("while_exit") && !loopExitLabel) {
+        loopExitLabel = label;
+      }
+    }
+  }
+  if (!loopTopLabel || !loopExitLabel) {
+    throw new Error("CFF: Could not find while loop labels in Template output");
+  }
+  return {
+    bytecode: result.bytecode,
+    rState,
+    loopTopLabel,
+    loopExitLabel,
+    innerBytecode: result.innerBytecode
+  };
+}
+
+// ── State transition helpers ─────────────────────────────────────────────────
+
+function emitStateTransition(out, rState, targetState, loopTopLabel, compiler) {
+  out.push([compiler.OP.LOAD_INT, ref(rState), targetState]);
+  out.push([compiler.OP.JUMP, {
+    type: "label",
+    label: loopTopLabel
+  }]);
+}
+
+// ── Per-function transformation ──────────────────────────────────────────────
+
+function processFunctionBlock(instrs, fnId, compiler, maxId) {
+  const OP = compiler.OP;
+
+  // Only transform functions that contain simple jumps
+  const hasRoutableJump = instrs.some(instr => {
+    const op = instr[0];
+    return op === OP.JUMP || op === OP.JUMP_IF_FALSE || op === OP.JUMP_IF_TRUE;
+  });
+  if (!hasRoutableJump) return {
+    instrs,
+    tail: []
+  };
+
+  // ── 1. Split into basic blocks ──────────────────────────────────────────
+  const blocks = splitBasicBlocks(instrs, compiler);
+  if (blocks.length < 2) return {
+    instrs,
+    tail: []
+  };
+
+  // ── 1b. Promote cross-block registers to "local" pool ──────────────────
+  // resolveRegisters does a linear-scan liveness analysis that doesn't
+  // understand the CFF dispatch loop (backward jumps).  A "temp" register
+  // that's live across two blocks would appear to die within its first
+  // block and get its slot reused, corrupting values read in later blocks.
+  //
+  // Fix: find every register that appears in more than one block and
+  // delete its "temp" kind so it lands in the "local::" pool (no reuse).
+  promoteMultiBlockRegisters(blocks);
+  const usedStates = new Set(blocks.map(b => b.stateValue));
+
+  // Pick endState sentinel
+  let endState;
+  do {
+    endState = getRandomInt(0, U16_MAX);
+  } while (usedStates.has(endState));
+  const startState = blocks[0].stateValue;
+
+  // ── 2. Build dispatch loop from Template ────────────────────────────────
+  const dispatch = buildDispatchTemplate(blocks, endState, startState, compiler, fnId, maxId);
+  const {
+    rState,
+    loopTopLabel,
+    loopExitLabel
+  } = dispatch;
+
+  // ── 3. Pre-compute all state mappings BEFORE shuffle ─────────────────
+  // These maps capture the correct stateValues while the blocks array is
+  // still in its original split order.  After the shuffle, indexing into
+  // blocks[] by original index would give the wrong block.
+
+  // label → stateValue (for jump target resolution)
+  const labelToState = new Map();
+  for (const block of blocks) {
+    labelToState.set(block.label, block.stateValue);
+  }
+
+  // originalIndex → fallthrough stateValue
+  const fallthroughStateMap = new Map();
+  for (let i = 0; i < blocks.length; i++) {
+    const next = blocks[i].originalNextIndex;
+    fallthroughStateMap.set(i, next >= 0 ? blocks[next].stateValue : endState);
+  }
+
+  // ── 4. Shuffle block order ──────────────────────────────────────────────
+  // Track which original index each shuffled position came from, so we can
+  // look up fallthroughStateMap correctly during emission.
+  const originalIndices = blocks.map((_, i) => i);
+
+  // Fisher-Yates shuffle
+  for (let i = blocks.length - 1; i > 0; i--) {
+    const j = getRandomInt(0, i);
+    [blocks[i], blocks[j]] = [blocks[j], blocks[i]];
+    [originalIndices[i], originalIndices[j]] = [originalIndices[j], originalIndices[i]];
+  }
+
+  // ── 5. Emit: dispatch loop + block bodies ───────────────────────────────
+  const out = [];
+
+  // Dispatch loop (var state = ...; while(...) { if-chain })
+  out.push(...dispatch.bytecode);
+
+  // Each block: defineLabel → body → state transition → JUMP loopTop
+  for (let i = 0; i < blocks.length; i++) {
+    const block = blocks[i];
+    const origIdx = originalIndices[i];
+
+    // Block label
+    out.push([null, {
+      type: "defineLabel",
+      label: block.label
+    }]);
+
+    // Block body
+    out.push(...block.body);
+
+    // Terminator rewriting
+    const term = block.terminator;
+    if (term === null) {
+      // Fallthrough → transition to the original next block's state
+      emitStateTransition(out, rState, fallthroughStateMap.get(origIdx), loopTopLabel, compiler);
+    } else if (term[0] === OP.RETURN || term[0] === OP.THROW) {
+      // Exits the frame — emit as-is
+      out.push(term);
+    } else if (term[0] === OP.JUMP) {
+      const targetLabel = extractLabel(term[1]);
+      if (targetLabel !== null) {
+        const targetState = labelToState.get(targetLabel);
+        if (targetState !== undefined) {
+          emitStateTransition(out, rState, targetState, loopTopLabel, compiler);
+        } else {
+          // Target outside this function's blocks — keep original
+          out.push(term);
+        }
+      } else {
+        out.push(term);
+      }
+    } else if (term[0] === OP.JUMP_IF_FALSE) {
+      // Original: if (!cond) goto target; else fallthrough
+      // → if (cond) goto skipLabel  (inverted)
+      //   state = targetState; goto loopTop
+      //   skipLabel:
+      //   state = fallthroughState; goto loopTop
+      const cond = term[1];
+      const targetLabel = extractLabel(term[2]);
+      if (targetLabel !== null) {
+        const targetState = labelToState.get(targetLabel);
+        if (targetState !== undefined) {
+          const skipLabel = compiler._makeLabel("cff_skip");
+          out.push([OP.JUMP_IF_TRUE, cond, {
+            type: "label",
+            label: skipLabel
+          }]);
+          emitStateTransition(out, rState, targetState, loopTopLabel, compiler);
+          out.push([null, {
+            type: "defineLabel",
+            label: skipLabel
+          }]);
+          emitStateTransition(out, rState, fallthroughStateMap.get(origIdx), loopTopLabel, compiler);
+        } else {
+          out.push(term);
+        }
+      } else {
+        out.push(term);
+      }
+    } else if (term[0] === OP.JUMP_IF_TRUE) {
+      // Original: if (cond) goto target; else fallthrough
+      // → if (!cond) goto skipLabel  (inverted)
+      //   state = targetState; goto loopTop
+      //   skipLabel:
+      //   state = fallthroughState; goto loopTop
+      const cond = term[1];
+      const targetLabel = extractLabel(term[2]);
+      if (targetLabel !== null) {
+        const targetState = labelToState.get(targetLabel);
+        if (targetState !== undefined) {
+          const skipLabel = compiler._makeLabel("cff_skip");
+          out.push([OP.JUMP_IF_FALSE, cond, {
+            type: "label",
+            label: skipLabel
+          }]);
+          emitStateTransition(out, rState, targetState, loopTopLabel, compiler);
+          out.push([null, {
+            type: "defineLabel",
+            label: skipLabel
+          }]);
+          emitStateTransition(out, rState, fallthroughStateMap.get(origIdx), loopTopLabel, compiler);
+        } else {
+          out.push(term);
+        }
+      } else {
+        out.push(term);
+      }
+    }
+  }
+  return {
+    instrs: out,
+    tail: dispatch.innerBytecode
+  };
+}
+
+// ── Pass entry point ──────────────────────────────────────────────────────────
+export function controlFlowFlattening(bc, compiler) {
+  const maxId = buildMaxIdMap(bc);
+  return forEachFunction(bc, compiler, (fnInstrs, fnId) => processFunctionBlock(fnInstrs, fnId, compiler, maxId));
+}