js-confuser-vm 0.1.0 → 0.1.2

package/dist/transforms/bytecode/dispatcher.js

@@ -78,27 +78,17 @@
 // Runs BEFORE resolveRegisters (so injected RegisterOperands are picked up by
 // liveness analysis) and BEFORE resolveLabels (so label operands with transforms
 // are resolved as part of the normal label-resolution pass).
-//
-// Enabled by options.dispatcher = true.
 
 import * as b from "../../types.js";
 import { getRandomInt } from "../../utils/random-utils.js";
 import { U16_MAX } from "../../utils/op-utils.js";
 import { Template } from "../../template.js";
-
+import { ref, buildMaxIdMap, allocReg, extractLabel, forEachFunction } from "../../utils/pass-utils.js";
 // VERY IMPORTANT: All object operands should be unique objects for the entire compilation process.
 // This ensures that other passes that may reference/modify operands (e.g. specializedOpcodes) don't accidentally break behavior by mutating cloned objects.
-function ref(r) {
-  return b.registerOperand(r.id, r.fnId);
-}
 
-// Monotonically increasing counter that makes every encoded label operand
-// JSON.stringify-distinguishable.  specializedOpcodes keys candidates by
-// JSON.stringify(operands), which drops the transform function.  Without this
-// counter, two LOAD_INT instructions for the same label but different siteKeys
-// would serialize identically and be coalesced into one specialized opcode
-// sharing a single operand object — causing both sites to decode with the
-// first site's key rather than their own.
+// VERY IMPORTANT: All "encoded" label operands include a unique "_id" property that survives JSON.stringify.
+// This allows Specialized Opcodes and other passes to correct distinguish them as the "transform" function WILL NOT be preserved
 let _encodedLabelId = 0;
 function encodedLabelOperand(label, siteKey, fnSalt) {
   return {
@@ -120,38 +110,6 @@ function applyEncoding(pc, siteKey, fnSalt) {
   return pc - fnSalt & U16_MAX ^ siteKey;
 }
 
-// ── Register allocation helpers ───────────────────────────────────────────────
-// At pass time FnContext objects are gone; we allocate new virtual registers by
-// scanning the bytecode for the highest existing id per fnId and incrementing.
-function buildMaxIdMap(bc) {
-  const maxId = new Map();
-  for (const instr of bc) {
-    for (let j = 1; j < instr.length; j++) {
-      const op = instr[j];
-      if (op && op.type === "register") {
-        const cur = maxId.get(op.fnId) ?? -1;
-        if (op.id > cur) maxId.set(op.fnId, op.id);
-      }
-    }
-  }
-  return maxId;
-}
-
-// Allocate a new virtual register for fnId, updating maxId in-place.
-function allocReg(fnId, maxId) {
-  const next = (maxId.get(fnId) ?? -1) + 1;
-  maxId.set(fnId, next);
-  return b.registerOperand(next, fnId);
-}
-
-// ── Label operand extraction ──────────────────────────────────────────────────
-// Returns the label string if the operand is a { type:"label" } object,
-// otherwise returns null.  Used to identify routable jump targets.
-function extractLabel(op) {
-  if (op && typeof op === "object" && op.type === "label") return op.label;
-  return null;
-}
-
 // buildDispatcherBlock: emits the dispatcher label + call + indirect jump.
 // rClosure is already live (created at function entry); this block simply
 // calls the decode closure and jumps to the result.
@@ -187,7 +145,7 @@ function processFunctionBlock(instrs, fnId, compiler, maxId, labelCounter) {
   });
   if (!hasRoutableJump) return {
     instrs,
-    templateBytecode: []
+    tail: []
   };
 
   // Per-function salt baked into this function's decode Template.
@@ -195,10 +153,8 @@ function processFunctionBlock(instrs, fnId, compiler, maxId, labelCounter) {
   const fnSalt = getRandomInt(1, U16_MAX);
 
   // Compile a unique decode closure for this function.
-  // The fnSalt literal is inlined into the source so each function's closure
-  // body is structurally distinct; no single signature covers all functions.
-  const tmpl = new Template(`function decode(x, k) { return ((x ^ k) + ${fnSalt}) & ${U16_MAX}; }`).compile({}, compiler);
-  const decodeDesc = tmpl.functions[0];
+  const template = new Template(`function decode(x, k) { return ((x ^ k) + ${fnSalt}) & ${U16_MAX}; }`).compile({}, compiler);
+  const decodeDesc = template.functions[0];
   const dispatcherLabel = labelCounter();
   const rDisp = allocReg(fnId, maxId); // carries encoded PC to dispatcher
   const rKey = allocReg(fnId, maxId); // carries per-site key to dispatcher
@@ -214,7 +170,9 @@ function processFunctionBlock(instrs, fnId, compiler, maxId, labelCounter) {
   // 2 (x, k)
   b.fnRegCountOperand(decodeDesc._fnIdx),
   // resolved by resolveRegisters()
-  0 // no upvalues
+  0,
+  // no upvalues
+  0 // hasRest = false
   ]);
 
   // ── Transform each instruction ────────────────────────────────────────────
@@ -292,71 +250,17 @@ function processFunctionBlock(instrs, fnId, compiler, maxId, labelCounter) {
   out.push(...buildDispatcherBlock(compiler, rDisp, rKey, rClosure, dispatcherLabel));
   return {
     instrs: out,
-    templateBytecode: tmpl.bytecode
+    tail: template.bytecode
   };
 }
 
 // ── Pass entry point ──────────────────────────────────────────────────────────
 export function dispatcher(bc, compiler) {
-  // Pre-compute max virtual register id per function across the whole bytecode.
   const maxId = buildMaxIdMap(bc);
-
-  // Label factory that delegates to the compiler's own counter so labels
-  // produced here never collide with compiler-generated or pass-generated ones.
+  // Label factory delegates to the compiler's counter so labels never collide.
   const labelCounter = () => compiler._makeLabel("dispatcher");
-
-  // Build a set of entry labels so we can detect function boundaries.
-  const entryLabels = new Set(compiler.fnDescriptors.map(d => d.entryLabel));
-  // Build a map from entry label → fnId.
-  const entryLabelToFnId = new Map(compiler.fnDescriptors.map(d => [d.entryLabel, d._fnIdx]));
-  const result = [];
-  // Collect each function's decode Template bytecode; appended at the end so
-  // all MAKE_CLOSURE instructions can reference their entryLabels regardless
-  // of where in the bytecode the function appears.
-  const decodeBytecodes = [];
-  let i = 0;
-  while (i < bc.length) {
-    const instr = bc[i];
-    const [op, operand0] = instr;
-    const isEntryLabel = op === null && operand0?.type === "defineLabel" && entryLabels.has(operand0.label);
-    if (!isEntryLabel) {
-      result.push(instr);
-      i++;
-      continue;
-    }
-
-    // Found a function entry label.  Collect all instructions belonging to
-    // this function (until the next entry label or end of bytecode).
-    const entryLabel = operand0.label;
-    const fnId = entryLabelToFnId.get(entryLabel);
-    i++; // step past the defineLabel itself
-
-    const fnInstrs = [];
-    while (i < bc.length) {
-      const next = bc[i];
-      const [nextOp, nextOp0] = next;
-      if (nextOp === null && nextOp0?.type === "defineLabel" && entryLabels.has(nextOp0.label)) break; // next function starts here
-      fnInstrs.push(next);
-      i++;
-    }
-
-    // Emit the entry defineLabel, then the (potentially transformed) body.
-    result.push(instr); // the defineLabel
-    const {
-      instrs: processed,
-      templateBytecode
-    } = processFunctionBlock(fnInstrs, fnId, compiler, maxId, labelCounter);
-    result.push(...processed);
-    if (templateBytecode.length > 0) decodeBytecodes.push(templateBytecode);
-  }
-
-  // Append all per-function decode closure bodies at the end of the bytecode.
-  // Each block defines the entryLabel that the corresponding MAKE_CLOSURE
-  // instruction references.
-  for (const tb of decodeBytecodes) {
-    result.push(...tb);
-  }
-  return {
-    bytecode: result
-  };
+  // forEachFunction collects each function's tail (decode closure bytecode) and
+  // appends them all after the last function body, so every MAKE_CLOSURE can
+  // reference its entryLabel regardless of where it appears in the bytecode.
+  return forEachFunction(bc, compiler, (fnInstrs, fnId) => processFunctionBlock(fnInstrs, fnId, compiler, maxId, labelCounter));
 }

package/dist/transforms/bytecode/macroOpcodes.js

@@ -1,4 +1,4 @@
-import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { OP_ORIGINAL, SOURCE_NODE_SYM } from "../../compiler.js";
 import { nextFreeSlot } from "../../utils/op-utils.js";
 import { ok } from "assert";
 
@@ -54,7 +54,7 @@ export function macroOpcodes(bc, compiler) {
       if (JUMP_OPS.has(op)) return false;
       if (nonTerminalExcluded.find(name => opName.includes(name))) return false;
     }
-    return OP_NAME[op] !== undefined;
+    return OP_NAME[op] !== undefined && OP_ORIGINAL[opName] !== undefined;
   }
 
   // ── Step 1: count window frequencies ──────────────────────────────────────

package/{src/transforms/bytecode/resolveContants.ts → dist/transforms/bytecode/resolveConstants.js}

@@ -1,7 +1,6 @@
-import type * as b from "../../types.ts";
-import { Compiler, SOURCE_NODE_SYM } from "../../compiler.ts";
-import { getRandomInt } from "../../utils/random-utils.ts";
-import { U16_MAX } from "../../utils/op-utils.ts";
+import { SOURCE_NODE_SYM } from "../../compiler.js";
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U16_MAX } from "../../utils/op-utils.js";
 
 // Encrypt a string with a position-dependent XOR key (u16) then base64-encode.
 //
@@ -9,12 +8,12 @@ import { U16_MAX } from "../../utils/op-utils.ts";
 // The u16 values are packed as little-endian byte pairs (matching decodeBytecode),
 // then base64-encoded so the stored constant is always safe ASCII — no raw Unicode
 // surrogates, control chars, or quote chars that would break JS string literals.
-function concealString(s: string, key: number): string {
+function concealString(s, key) {
   const bytes = new Uint8Array(s.length * 2);
   for (let i = 0; i < s.length; i++) {
-    const code = s.charCodeAt(i) ^ ((key + i) & 0xffff);
+    const code = s.charCodeAt(i) ^ key + i & 0xffff;
     bytes[i * 2] = code & 0xff;
-    bytes[i * 2 + 1] = (code >> 8) & 0xff;
+    bytes[i * 2 + 1] = code >> 8 & 0xff;
   }
   return Buffer.from(bytes).toString("base64");
 }
@@ -30,36 +29,23 @@ function concealString(s: string, key: number): string {
 // The runtime's _readConstant(idx, key) reverses the concealment on the fly.
 //
 // Both slots are u16; all existing operand serialization handles them identically.
-export function resolveConstants(
-  bc: b.Bytecode,
-  compiler: Compiler,
-): {
-  bytecode: b.Bytecode;
-  constants: any[];
-} {
-  const constants: any[] = [];
-  const constantsMap = new Map<any, number>(); // original value → pool index
-  const keyMap = new Map<number, number>(); // pool index → conceal key
-
-  function intern(operand: b.InstrOperand): [b.InstrOperand, number] {
-    const value = (operand as any).value;
+export function resolveConstants(bc, compiler) {
+  const constants = [];
+  const constantsMap = new Map(); // original value → pool index
+  const keyMap = new Map(); // pool index → conceal key
 
+  function intern(operand) {
+    const value = operand.value;
     let idx = constantsMap.get(value);
     let key = 0;
-
     if (typeof idx !== "number") {
       idx = constants.length;
       constantsMap.set(value, idx);
-
       if (compiler.options.concealConstants && typeof value === "string") {
         // Strings: position-dependent XOR. Key must be >= 1.
         key = getRandomInt(1, U16_MAX);
         constants.push(concealString(value, key));
-      } else if (
-        compiler.options.concealConstants &&
-        typeof value === "number" &&
-        Number.isInteger(value)
-      ) {
+      } else if (compiler.options.concealConstants && typeof value === "number" && Number.isInteger(value)) {
         // Integers: simple XOR. Result is still a valid JS integer.
         key = getRandomInt(1, U16_MAX);
         constants.push(value ^ key);
@@ -68,59 +54,47 @@ export function resolveConstants(
         key = 0;
         constants.push(value);
       }
-
       keyMap.set(idx, key);
     } else {
       // Reuse existing pool entry — same key that was assigned on first intern.
-      key = keyMap.get(idx)!;
+      key = keyMap.get(idx);
     }
-
-    const idxOperand: any = {
+    const idxOperand = {
       type: "number",
-      resolvedValue: idx,
+      resolvedValue: idx
     };
-
-    const keyOperand: any = {
+    const keyOperand = {
       type: "number",
-      resolvedValue: key,
+      resolvedValue: key
     };
 
     // key is a plain u16 number — no wrapping needed.
     return [idxOperand, keyOperand];
   }
-
-  const resolved: b.Bytecode = [];
+  const resolved = [];
   for (const instr of bc) {
     const [op, ...operands] = instr;
-
-    const hasConstant = operands.some(
-      (o) =>
-        o !== undefined &&
-        o !== null &&
-        typeof o === "object" &&
-        (o as any).type === "constant",
-    );
-
+    const hasConstant = operands.some(o => o !== undefined && o !== null && typeof o === "object" && o.type === "constant");
     if (hasConstant) {
       // 1-to-2 expansion: each {type:"constant"} becomes [constIdx, concealKey].
-      const newOperands: b.InstrOperand[] = operands.map((operand) => {
-        if ((operand as any)?.type === "constant") {
+      const newOperands = operands.map(operand => {
+        if (operand?.type === "constant") {
           const [idxOperand, key] = intern(operand);
-          const newOperand = (operand as any)?.key ? key : idxOperand;
-
+          const newOperand = operand?.key ? key : idxOperand;
           return Object.assign(operand, newOperand);
         } else {
           return operand;
         }
       });
-
-      const newInstr = [op, ...newOperands] as b.Instruction;
-      (newInstr as any)[SOURCE_NODE_SYM] = (instr as any)[SOURCE_NODE_SYM];
+      const newInstr = [op, ...newOperands];
+      newInstr[SOURCE_NODE_SYM] = instr[SOURCE_NODE_SYM];
       resolved.push(newInstr);
     } else {
       resolved.push(instr);
     }
   }
-
-  return { bytecode: resolved, constants };
-}
+  return {
+    bytecode: resolved,
+    constants
+  };
+}

package/dist/transforms/bytecode/resolveRegisters.js

@@ -30,6 +30,10 @@
 
 export function resolveRegisters(bc, compiler) {
   function registerPoolKey(op) {
+    // Pinned registers must never share a slot with anything else.
+    // Passes set this on registers whose live range crosses a CFF back-edge
+    // that the linear-scan liveness analysis cannot see.
+    if (op.pinned) return "local::";
     return `${op.kind ?? "local"}::${op.scopeId ?? ""}`;
   }
 
@@ -120,16 +124,31 @@ export function resolveRegisters(bc, compiler) {
     // nextSlot is the high-water mark: the next fresh slot to allocate.
     // It is shared across all pools so each pool's slots start above the
     // previous pool's maximum slot.
-    let nextSlot = 0;
+    //
+    // Leading locals (params, `arguments`, `this`) have slots fixed by position
+    // and are written by the runtime at call time. Start the cursor above that
+    // reserved region so no other register can land in it — even when some
+    // reserved locals are unused (and therefore never collected above). This is
+    // essential for correctness: e.g. a function with unused named params whose
+    // `arguments` is captured by a nested arrow would otherwise slide into a
+    // param slot and read a parameter value instead of the arguments object.
+    const reserved = compiler.fnDescriptors[fnId]?.reservedRegisters ?? 0;
+    let nextSlot = reserved;
     for (const poolKey of sortedPoolKeys) {
       const regs = pools.get(poolKey);
       if (poolKey === "local::") {
         // ── Local pool: virtual-id order, no reuse ────────────────────────
-        // Params must be at the lowest slots (written by the runtime at call
-        // time); upvalue captures must keep their slot for the frame's lifetime.
+        // Reserved leading locals keep an identity slot mapping (id N → slot N)
+        // so the runtime's positional writes always land correctly; upvalue
+        // captures must keep their slot for the frame's lifetime. Remaining
+        // locals (hoisted vars, captured variables) pack above the reserved region.
         regs.sort((a, b) => a.id - b.id);
         for (const reg of regs) {
-          slotMap.set(reg.id, nextSlot++);
+          if (reg.id < reserved) {
+            slotMap.set(reg.id, reg.id);
+          } else {
+            slotMap.set(reg.id, nextSlot++);
+          }
         }
       } else {
         // ── Non-local pool: firstUse order, linear-scan reuse ─────────────

package/dist/transforms/bytecode/selfModifying.js

@@ -1,23 +1,30 @@
-import { choice } from "../../utils/random-utils.js";
+import { choice, getRandomInt } from "../../utils/random-utils.js";
 import { getInstructionSize } from "../../utils/op-utils.js";
 export function selfModifying(bc, compiler) {
   // Walk the bytecode looking for "defineLabel" pseudo-ops, which start basic
   // blocks. For each block we collect the body (instructions between the label
-  // and the next label/jump terminator), move it to the end of the bytecode
-  // under a fresh "patch_LXX" label, and replace it in-place with:
+  // and the next label/jump terminator), pick a random-sized, random-offset
+  // sub-region within that body, move only that region to the end of the
+  // bytecode under a fresh "patch_LXX" label, and replace it in-place with:
   //
   //   defineLabel ("originalLabel")               ← kept as-is (pseudo-op)
+  //   <prefix instructions>                        ← body before the region (kept)
   //   PATCH  destPc  sliceStart  sliceEnd          ← 4 flat slots total
-  //   Garbage Opcodes  × bodyFlatSize                         ← placeholder slots
+  //   Garbage Opcodes  × regionFlatSize            ← placeholder slots
+  //   <suffix instructions>                        ← body after the region (kept)
   //
   // PATCH reads three inline operands via _operand():
-  //   destPc     = originalLabel + 4  (first slot after PATCH's own 4 slots)
-  //   sliceStart = patchLabel          (flat PC of appended body)
-  //   sliceEnd   = patchLabel + bodyFlatSize
+  //   destPc     = originalLabel + prefixFlatSize + 4  (first placeholder slot)
+  //   sliceStart = patchLabel          (flat PC of appended region)
+  //   sliceEnd   = patchLabel + regionFlatSize
   //
   // On first execution PATCH copies bytecode[sliceStart..sliceEnd) over the
   // placeholder region starting at destPc.  Execution then falls through into
-  // the freshly-patched body.  Subsequent calls are idempotent.
+  // the freshly-patched region (and onward into the suffix). Subsequent calls
+  // are idempotent.
+  //
+  // A budget caps the extra bytecode this pass adds to ~100% of the input
+  // bytecode size. Once exhausted, remaining blocks are emitted untouched.
 
   const {
     OP,
@@ -26,6 +33,18 @@ export function selfModifying(bc, compiler) {
   const result = [];
   const appended = [];
   let patchCount = 0;
+
+  // Budget: allow this pass to add at most one extra copy (100%) of the input
+  // bytecode size. "Size" here is the number of instruction entries, matching
+  // the reported `bytecodeSize` (= bytecode.length).
+  //
+  // Each patch adds, in entry terms:
+  //   in-place:  +1 PATCH entry, +regionFlatSize placeholder entries,
+  //              −region.length region entries (moved out)
+  //   appended:  +1 defineLabel marker, +region.length region entries
+  //   net delta = 2 + regionFlatSize
+  const budget = bc.length;
+  let added = 0;
   let i = 0;
   while (i < bc.length) {
     const instr = bc[i];
@@ -55,46 +74,94 @@ export function selfModifying(bc, compiler) {
       }
       const body = bc.slice(i, j);
       const N = body.length;
-      if (N === 0) {
-        // Nothing to transform — label is immediately followed by a terminator.
+      const flatSize = chunk => chunk.reduce((acc, instr) => acc + getInstructionSize(instr), 0);
+
+      // Each patch adds (2 + regionFlatSize) entries (see budget note above).
+      // Stop patching once there isn't room for even the smallest patch —
+      // remaining blocks (and empty blocks) are emitted untouched.
+      const remaining = budget - added;
+      if (N === 0 || remaining < 2 + 1) {
+        for (const bodyInstr of body) {
+          result.push(bodyInstr);
+        }
+        i = j;
         continue;
       }
+
+      // ── Pick a random-sized, random-offset region within the body ────────
+      // prefix = body[0, regionStart)   (kept in place, executes normally)
+      // region = body[regionStart, regionEnd)   (self-modified)
+      // suffix = body[regionEnd, N)     (kept in place)
+      const regionStart = getRandomInt(0, N - 1);
+      const regionLen = getRandomInt(1, N - regionStart);
+      let region = body.slice(regionStart, regionStart + regionLen);
+      let regionFlatSize = flatSize(region);
+
+      // Trim the region from the end so the patch fits the remaining budget,
+      // keeping the cap strict (never overshoot 100% growth).
+      while (region.length > 1 && 2 + regionFlatSize > remaining) {
+        region = region.slice(0, -1);
+        regionFlatSize = flatSize(region);
+      }
+      if (2 + regionFlatSize > remaining) {
+        // Even a single-instruction region doesn't fit — leave block untouched.
+        for (const bodyInstr of body) {
+          result.push(bodyInstr);
+        }
+        i = j;
+        continue;
+      }
+      const regionEnd = regionStart + region.length;
+      const prefix = body.slice(0, regionStart);
+      const suffix = body.slice(regionEnd);
+      const prefixFlatSize = flatSize(prefix);
       const patchLabel = `patch_${originalLabel}_${patchCount++}`;
 
-      // Flat size of the body (each instruction occupies instr.length slots).
-      const bodyFlatSize = body.reduce((acc, instr) => acc + getInstructionSize(instr), 0);
+      // Charge the budget (entry count): PATCH entry + defineLabel marker +
+      // placeholder entries (region.length cancels between in-place and append).
+      added += 2 + regionFlatSize;
+
+      // ── Prefix instructions (kept as-is) ────────────────────────────────
+      for (const prefixInstr of prefix) {
+        result.push(prefixInstr);
+      }
 
       // ── PATCH instruction (4 flat slots: opcode + 3 operands) ───────────
-      //   destPc     = originalLabel + 4  (slot right after PATCH's 4 slots)
+      //   destPc     = originalLabel + prefixFlatSize + 4  (first placeholder)
       //   sliceStart = patchLabel
-      //   sliceEnd   = patchLabel + bodyFlatSize
+      //   sliceEnd   = patchLabel + regionFlatSize
       result.push([OP.PATCH, {
         type: "label",
         label: originalLabel,
-        offset: 4
+        offset: prefixFlatSize + 4
       }, {
         type: "label",
         label: patchLabel
       }, {
         type: "label",
         label: patchLabel,
-        offset: bodyFlatSize
+        offset: regionFlatSize
       }]);
 
-      // ── Placeholders (Garbage Opcodes * bodyFlatSize, each 1 flat slot) ────────────
+      // ── Placeholders (Garbage Opcodes * regionFlatSize, each 1 flat slot) ──
       // These are overwritten by PATCH on first execution.
-      for (let p = 0; p < bodyFlatSize; p++) {
+      for (let p = 0; p < regionFlatSize; p++) {
         const randomOpcode = choice(Object.values(compiler.OP));
         result.push([+randomOpcode]);
       }
 
-      // ── Append real body at end ─────────────────────────────────────────
+      // ── Suffix instructions (kept as-is) ────────────────────────────────
+      for (const suffixInstr of suffix) {
+        result.push(suffixInstr);
+      }
+
+      // ── Append real region at end ───────────────────────────────────────
       appended.push([null, {
         type: "defineLabel",
         label: patchLabel
       }]);
-      for (const bodyInstr of body) {
-        appended.push(bodyInstr);
+      for (const regionInstr of region) {
+        appended.push(regionInstr);
       }
       i = j; // skip over the original body in the input array
       continue;